Security Policy

The Netatalk Project takes cyber security very seriously. We commit to
follow up on and resolve potential security flaws in our code as quickly
as we can. The reporter of an accepted and patched vulnerability will be
given credit in the advisory published by this project.

Supported Versions

Project policy is to support a release series with security patches up
to 12 months after a superseding stable release.

We actively support up to the two latest minor feature release versions
in a major release series. For instance, if 4.0 and 4.1 are supported,
and we release 4.2, then security patch support for 4.0 is halted.

Reporting a Vulnerability

If you think you have found an exploitable security vulnerability in
Netatalk, the Netatalk Team would be eager to hear from you!

The best way to get in touch with us is by filing a report via the
private security vulnerability reporting workflow in GitHub. This allows
us to collaborate in private and avoid putting end-users at potential
risk in the meantime.

In order for us to take effective action on your report, please include
as much context as possible:

- An unambiguous link to the affected source code, including the
  specific line and Git commit hash
- Configurations or input data required to reproduce the issue
- Concrete steps to reproduce the issue
- Ideally, proof-of-concept code that demonstrates the exploit
- A summary of the issue's potental impact

Response

If we are able to reproduce and subsequently patch the vulnerability, we
will publish an advisory below where you are credited as finder and
reporter. If you also contribute a patch, you will be credited as patch
developer.

Please be mindful that Netatalk is a volunteer driven project. We do
this on our free time, so response times may vary. That said, we will
try to take action on your report as soon as possible!

Security Advisories

  CVE ID           Subject                                                               Disclosure Date   Affected Versions                      Severity
  ---------------- --------------------------------------------------------------------- ----------------- -------------------------------------- ----------
  CVE-2026-62321   Heap buffer overflow in Spotlight reply marshalling                   2026/07/15        3.1.0 - 4.5.0                          High
  CVE-2026-62320   Pre-authentication DSI frame smuggling                                2026/07/15        1.5.0 - 4.5.0                          Medium
  CVE-2026-62319   DSIWrite frame desynchronization                                      2026/07/15        1.5.0 - 4.5.0                          Medium
  CVE-2026-62318   Use-after-free in DHX2 login continuation                             2026/07/15        2.0.0 - 4.5.0                          High
  CVE-2026-49390   Missing range validation for server quantum                           2026/05/30        3.0.0 - 4.4.3                          Low
  CVE-2026-49389   Heap over-read in CatSearch search-spec parsing                       2026/05/30        2.0.0 - 4.4.3                          Low
  CVE-2026-49388   Heap out-of-bounds read in Spotlight RPC TOC index                    2026/05/30        3.1.0 - 4.4.3                          High
  CVE-2026-49387   Heap out-of-bounds reads in Spotlight RPC element counts              2026/05/30        3.1.0 - 4.4.3                          High
  CVE-2026-45699   Stack-based buffer overflow in copydir()                              2026/05/13        3.2.0 - 4.4.2                          High
  CVE-2026-45698   Stack-based buffer overflow in deletedir()                            2026/05/13        3.2.0 - 4.4.2                          High
  CVE-2026-45356   Integer underflow in Spotlight RPC count decrement                    2026/05/13        3.1.0 - 4.4.2                          High
  CVE-2026-45355   Integer underflow to heap OOB read                                    2026/05/13        3.1.0 - 4.4.2                          High
  CVE-2026-45354   Pre-authentication DSI protocol desync                                2026/05/13        1.5.0 - 4.4.2                          High
  CVE-2026-44076   Shell injection via volume path                                       2026/05/13        3.1.0 - 4.4.2                          Medium
  CVE-2026-44075   Missing break in DSI OpenSession                                      2026/05/13        1.5.0 - 4.4.3                          None
  CVE-2026-44074   Bitwise OR of errno values                                            2026/05/13        2.1.0 - 4.4.3                          None
  CVE-2026-44073   seteuid failure ignored in auth modules                               2026/05/13        1.5.0 - 4.4.3                          Medium
  CVE-2026-44072   system() after failed chdir()                                         2026/05/13        2.2.1 - 4.4.3                          Low
  CVE-2026-44071   FORTIFY_SOURCE disabled                                               2026/05/13        3.1.2 - 4.4.3                          None
  CVE-2026-44070   Unbounded realloc in charset conversion                               2026/05/13        2.0.0 - 4.4.3                          Low
  CVE-2026-44069   Integer underflow in volxlate                                         2026/05/13        3.0.0 - 4.4.3                          Low
  CVE-2026-44068   EA path traversal via incomplete sanitization                         2026/05/13        2.1.0 - 4.4.2                          High
  CVE-2026-44067   EA header parsing heap over-read                                      2026/05/13        2.1.0 - 4.4.3                          Low
  CVE-2026-44066   Heap out-of-bounds reads in Spotlight RPC unmarshalling               2026/05/13        3.0.0 - 4.4.2                          High
  CVE-2026-44065   Off-by-two in papd lp_write()                                         2026/05/13        2.0.0 - 4.4.3                          Low
  CVE-2026-44064   ASP session ID out-of-bounds access                                   2026/05/13        1.3 - 4.4.2                            High
  CVE-2026-44063   LDAP filter injection                                                 2026/05/13        2.1.0 - 4.4.3                          Medium
  CVE-2026-44062   Missing o_len bounds check in pull_charset_flags()                    2026/05/13        2.0.4 - 4.4.2                          High
  CVE-2026-44061   DES-ECB auth with timing side channel                                 2026/05/13        1.5.0 - 4.4.3                          Medium
  CVE-2026-44060   Integer underflow in dsi_writeinit() leads to denial of service       2026/05/13        1.5.0 - 4.4.2                          High
  CVE-2026-44059   Non-reentrant privilege toggle                                        2026/05/13        2.2.5 - 4.4.3                          Low
  CVE-2026-44058   Authentication bypass via admin auth user                             2026/05/13        2.2.2 - 4.4.3                          Medium
  CVE-2026-44057   Dead bounds check in Spotlight RPC unmarshaller                       2026/05/13        3.0.0 - 4.4.2                          None
  CVE-2026-44056   Stack buffer overflow in desktop.c                                    2026/05/13        1.3 - 4.4.3                            Medium
  CVE-2026-44055   Bitwise OR logic bug enables shell injection                          2026/05/13        3.1.4 - 4.4.2                          High
  CVE-2026-44054   Predictable afpd session token                                        2026/05/13        2.0.0 - 4.4.2                          Medium
  CVE-2026-44053   Weak cryptography in DHCAST128 UAM                                    2026/05/13        1.5.0 - 4.4.3                          High
  CVE-2026-44052   LDAP simple-bind password exposure in log output                      2026/05/13        2.1.0 - 4.4.2                          High
  CVE-2026-44051   Arbitrary file read via attacker-controlled symlink creation          2026/05/13        3.0.2 - 4.4.2                          High
  CVE-2026-44050   Heap buffer overflow in CNID daemon comm_rcv()                        2026/05/13        2.0.0 - 4.4.2                          Critical
  CVE-2026-44049   Out-of-bounds write in convert_charset() null termination             2026/05/13        2.0.4 - 4.4.2                          High
  CVE-2026-44048   Stack buffer overflow via UCS-2 type confusion in convert_charset()   2026/05/13        2.0.4 - 4.4.2                          High
  CVE-2026-44047   SQL injection in MySQL CNID backend                                   2026/05/13        3.1.0 - 4.4.2                          High
  CVE-2026-7837    TOCTOU with root privilege in ad_flush                                2026/05/13        3.0.0 - 4.4.3                          None
  CVE-2026-7836    hextoint macro uppercase bug                                          2026/05/13        2.0.0 - 4.4.3                          Low
  CVE-2026-7835    Format string argument mismatch                                       2026/05/13        3.0.3 - 4.4.3                          Low
  CVE-2024-38441   Heap out-of-bounds write in directory.c                               2024/06/28        2.0.0 - 2.4.0, 3.0.0 - 3.1.18, 3.2.0   High
  CVE-2024-38440   Heap out-of-bounds write in uams_dhx_pam.c                            2024/06/28        1.5.0 - 2.4.0, 3.0.0 - 3.1.18, 3.2.0   High
  CVE-2024-38439   Heap out-of-bounds write in uams_pam.c                                2024/06/28        1.5.0 - 2.4.0, 3.0.0 - 3.1.18, 3.2.0   High
  CVE-2023-42464   afpd daemon vulnerable to type confusion                              2023/09/16        3.1.0 - 3.1.16                         Medium
  CVE-2022-45188   Arbitrary code execution in afp_getappl                               2023/03/28        1.5.0 - 2.2.8, 3.0.0 - 3.1.14          High
  CVE-2022-43634   Arbitrary code execution in dsi_writeinit                             2023/02/20        3.0.0 - 3.1.14                         Critical
  CVE-2022-23125   Arbitrary code execution in copyapplfile                              2022/03/22        1.3 - 2.2.6, 3.0.0 - 3.1.12            Critical
  CVE-2022-23124   Information leak in get_finderinfo                                    2022/03/22        3.0.0 - 3.1.12                         Medium
  CVE-2022-23123   Information leak in getdirparams                                      2022/03/22        1.5.0 - 2.2.6, 3.0.0 - 3.1.12          Medium
  CVE-2022-23122   Arbitrary code execution in setfilparams                              2022/03/22        3.0.0 - 3.1.12                         Critical
  CVE-2022-23121   Arbitrary code execution in parse_entries                             2022/03/22        1.5.0 - 2.2.6, 3.0.0 - 3.1.12          Critical
  CVE-2022-22995   afpd daemon vulnerable to symlink redirection                         2023/10/05        3.1.0 - 3.1.17                         High
  CVE-2022-0194    Arbitrary code execution in ad_addcomment                             2022/03/22        1.5.0 - 2.2.6, 3.0.0 - 3.1.12          Critical
  CVE-2021-31439   Arbitrary code execution in dsi_stream_receive                        2022/03/22        3.0.0 - 3.1.12                         High
  CVE-2018-1160    Unauthenticated remote code execution                                 2018/12/20        1.5.0 - 2.2.6, 3.0.0 - 3.1.11          Critical
  CVE-2008-5718    papd daemon vulnerable to remote command execution                    2008/12/26        2.0.0 - 2.0.4                          Critical
  CAN-2004-0974    etc2ps.sh vulnerable to symlink attack                                2004/09/30        1.3 - 1.6.4, 2.0.0                     Low

See Also

Netatalk CVE records on cve.org
