[Disclaimer, not the package maintainer, but quickly checked your report for tracking within the security team]
On Sat, Jun 26, 2021 at 01:50:44PM +0200, Christoph Anton Mitterer wrote: > Source: zookeeper > Version: 3.4.13-6 > Severity: grave > Tags: security > Justification: user security hole > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > > Hi. > > The release notes for > https://zookeeper.apache.org/doc/r3.6.3/releasenotes.html > list various security issues: > CVE-2020-25649 > CVE-2021-21295 > CVE-2021-28165 > CVE-2021-21409 > > It's a bit unclear to me whether 3.4 is affected to, but since 3.5.x > versions seem > to be, I'd guess the issues go back longer and may affect 3.4 as well. > > I would guess that 3.4.x has no upstream support anymore. To me this looks like CVEs in other products, but which zookeeper uses as dependency? Is this correct? CVE-2021-21409 is for instance for netty and fixed in 1:41.48-4 and in DSA 4885-1. CVE-20202-25649 was in jackson-databind. Similar for the other CVEs mentioned in the release notes, and they usually refer to "upgrate X.Y to version [...], dependency check, etc. I have not (yet) checked the respective imapct and if something needs to be changed about those specifically in zookeeper. Regards, Salvatore