Author: buildbot
Date: Fri Sep 16 19:01:03 2016
New Revision: 997532

Log:
Staging update by buildbot for zookeeper

Modified:
    websites/staging/zookeeper/trunk/content/   (props changed)
    websites/staging/zookeeper/trunk/content/security.html

Propchange: websites/staging/zookeeper/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Fri Sep 16 19:01:03 2016
@@ -1 +1 @@
-1760478
+1761070

Modified: websites/staging/zookeeper/trunk/content/security.html
==============================================================================
--- websites/staging/zookeeper/trunk/content/security.html (original)
+++ websites/staging/zookeeper/trunk/content/security.html Fri Sep 16 19:01:03 
2016
@@ -57,7 +57,62 @@
 
 <p>The Apache Software Foundation takes security issues very seriously. Due to 
the infrastructure nature of the Apache ZooKeeper project specifically, we 
haven't had many reports over time, but it doesn't mean that we haven't had 
concerns over some bugs and vulnerabilities. If you have any concern or believe 
you have uncovered a vulnerability, we suggest that you get in touch via the 
e-mail address <a href="mailto:secur...@zookeeper.apache.org?Subject=[SECURITY] 
My security issue" target="_top">secur...@zookeeper.apache.org</a>. In the 
message, try to provide a description of the issue and ideally a way of 
reproducing it. Note that this security address should be used only for 
undisclosed vulnerabilities. Dealing with fixed issues should be handled 
regularly via the user and the dev lists. <b>Please report any security 
problems to the project security address before disclosing it publicly.</b>  
</p>
 
-<p>The <span class="caps">ASF</span> Security team maintains a page with a 
description of how vulnerabilities are handled, check their <a 
href="http://www.apache.org/security/";>Web page</a> for more information.  </p>
+<p>The <span class="caps">ASF</span> Security team maintains a page with a 
description of how vulnerabilities are handled, check their <a 
href="http://www.apache.org/security/";>Web page</a> for more information.</p>
+
+<h2>Vulnerability reports</h2>
+
+<ul>
+<li><a href="#CVE-2016-5017"><span class="caps">CVE</span>-2016-5017: Buffer 
overflow vulnerability in ZooKeeper C cli shell</a> </li>
+</ul>
+
+
+<h3 id="CVE-2016-5017"><span class="caps">CVE</span>-2016-5017: Buffer 
overflow vulnerability in ZooKeeper C cli shell</h3>
+
+<p>Severity: moderate</p>
+
+<p>Vendor:<br />
+The Apache Software Foundation</p>
+
+<p>Versions Affected:<br />
+ZooKeeper 3.4.0 to 3.4.8<br />
+ZooKeeper 3.5.0 to 3.5.2<br />
+The unsupported ZooKeeper 1.x through 3.3.x versions may be also affected</p>
+
+<p>Note: The 3.5 branch is still alpha at this time.</p>
+
+<p>Description:<br />
+The ZooKeeper C client shells "cli_st" and "cli_mt" have a buffer<br />
+overflow vulnerability associated with parsing of the input command<br />
+when using the "cmd:<cmd>" batch mode syntax. If the command string<br />
+exceeds 1024 characters a buffer overflow will occur. There is no<br />
+known compromise which takes advantage of this vulnerability, and if<br />
+security is enabled the attacker would be limited by client level<br />
+security constraints. The C cli shell is intended as a sample/example<br />
+of how to use the C client interface, not as a production tool - the<br />
+documentation has also been clarified on this point.</p>
+
+<p>Mitigation:<br />
+It is important to use the fully featured/supported Java cli shell rather<br />
+than the C cli shell independent of version.</p>
+
+<p>- ZooKeeper 3.4.x users should upgrade to 3.4.9 or apply this "patch":<br />
+https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f</p>
+
+<p>- ZooKeeper 3.5.x users should upgrade to 3.5.3 when released or apply<br />
+this "patch":<br />
+https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=f09154d6648eeb4ec5e1ac8a2bacbd2f8c87c14a</p>
+
+<p>The patch solves the problem reported here, but it does not make the<br />
+client ready for production use. The community has no plan to make<br />
+this client production ready at this time, and strongly recommends that<br />
+users move to the Java cli and use the C cli for illustration purposes 
only.</p>
+
+
+<p>Credit:<br />
+This issue was discovered by Lyon Yang, an Apple security researcher.</p>
+
+<p>References:<br />
+<a href="https://zookeeper.apache.org/security.html";>Apache ZooKeeper Security 
Page</a></p>
           </div>
         </td>
         <td valign="top">


Reply via email to