Your message dated Sun, 15 Mar 2026 23:50:13 +0000
with message-id <[email protected]>
and subject line Bug#1130497: fixed in zookeeper 3.9.5-1
has caused the Debian Bug report #1130497,
regarding zookeeper: CVE-2026-24308
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130497: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130497
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zookeeper
Version: 3.9.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for zookeeper.
CVE-2026-24308[0]:
| Improper handling of configuration values in ZKConfig in Apache
| ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to
| expose sensitive information stored in client configuration in the
| client's logfile. Configuration values are exposed at INFO level
| logging rendering potential production systems affected by the
| issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5
| which fixes this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24308
https://www.cve.org/CVERecord?id=CVE-2026-24308
[1] https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.9.5-1
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated zookeeper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Mar 2026 15:02:30 -0700
Source: zookeeper
Architecture: source
Version: 3.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1130496 1130497
Changes:
zookeeper (3.9.5-1) unstable; urgency=medium
.
* New upstream version 3.9.5
- Addresses CVE-2026-24281 (Closes: #1130496)
- Addresses CVE-2026-24308 (Closes: #1130497)
* Update build-dep and classpath for JLine3
* Refresh patches for upstream release.
* Disable patches no longer needed with current Debian version
Checksums-Sha1:
b31e32ffc9f9f6cb78550b17a359dcdb7e12cfc4 3793 zookeeper_3.9.5-1.dsc
9eb0f0fcabe146f6d46b28b51bd47c55e8ab9beb 4716781 zookeeper_3.9.5.orig.tar.gz
8f009274ac67605000a74d4763f54fd378400f82 858 zookeeper_3.9.5.orig.tar.gz.asc
38f8e65040fd8fa872e26f5e962bb2bfcefd0d1c 92328 zookeeper_3.9.5-1.debian.tar.xz
4d2d6dc7b0609ef18ada93063a65a6e010835ede 24691
zookeeper_3.9.5-1_amd64.buildinfo
Checksums-Sha256:
beab5d349206329c47c93395bddf8d989015179b4fb0505be2f063d1a5c0812e 3793
zookeeper_3.9.5-1.dsc
0e2d7c487daeff75b38354b231a006caa14c4596ddc21fd37a840c078419357b 4716781
zookeeper_3.9.5.orig.tar.gz
4c99b284f4b791a3b850bbbc591e0bb858c94cef016f8ab14ec2ecc319313d7e 858
zookeeper_3.9.5.orig.tar.gz.asc
e1ae34251369275b878c0e447d7b34f13df41d6566a134d379e80db385cb168e 92328
zookeeper_3.9.5-1.debian.tar.xz
6da7a666f94b75b6f091e1d39cca10e46ad5df516df35d558c912945896512db 24691
zookeeper_3.9.5-1_amd64.buildinfo
Files:
f0e77332dda47590285536aae951c672 3793 java optional zookeeper_3.9.5-1.dsc
0ca78fb7dc446d23e5b26657667c4d16 4716781 java optional
zookeeper_3.9.5.orig.tar.gz
9f8bedc7ad8fdf43b05f20f47533aa80 858 java optional
zookeeper_3.9.5.orig.tar.gz.asc
0c0736ad5790c14c163ec0f3e651eeec 92328 java optional
zookeeper_3.9.5-1.debian.tar.xz
c591cddc4445ac5b81f0c6c2aa9a1d9f 24691 java optional
zookeeper_3.9.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmm3PygUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZP9Q//TPJNBcYDZgKDOmsaa5/+svYOMFLp
wg6lg98HDokllJyE31PVc9gjBbqw3a8gpwcU4k8O0NUrOMNj8X1rjzGRVVUDUhn/
pLlBFQbemf8kEQFOqHKQYzIZdeTht0detapgr81ZxsOIkwrJJ+9Grooy4+e5tFqa
aRf3AvK7rnnTW9doKd8GB45uJBhk5kJCUvGb5q+T6V3Bd97Y4jHsKff5eTk9OASi
QzfGrwm9iSsPbCJjBjoBLMp/PkVPSN5/hpcer0Ab7hmr+00lyAoiY+KRFecjIWgL
Y0lsKJroGL5GVogxNOwvpSDkEMsfjxoqMBIq7OHNO0wiJPy7rb5bapCMsThk3nGU
MRRF4cef581fyvXoaA1gzZOeQfWzjraHlP8AaYio0FNp16MWYERfoi/CuNODZ0+e
FxxJNxAroOMF1zR4ea1Ca28yPayrcSYRS009HTP8Sr+cgKj06r8+D7EyRvBnM2JW
Nc0SB4WFNGjFkV+VpqgC+45naPnZQZVIhNSlKGzlTHO0a69FolNJKaPmtHWNML08
8oTUVMVES+cAthvR41vGs04+oxfcCHZsMNE6FYD0oFD+pB+zhBi7N1Uaqnoj05sT
TKN0IRHI/41pxBzibypIBqHqgT1/s6QLHn9uCxAnLevM/ucIivrY2TRbAobiALKS
zUikZfVORzK97fo=
=QQRl
-----END PGP SIGNATURE-----
pgpjUcvb0M7oU.pgp
Description: PGP signature
--- End Message ---
