Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits: 6e7c42da by Bastien Roucariès at 2025-01-01T12:39:08+00:00 CVE-2024-23944/zookeeper bullseye Add ignored for bullseye CVE-2024-23944 should be marked ignored for older release: - Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. This is needed for exploit - according to upstream classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not known in advance is not possible. Nevertheless classical watch leaks some information. - this is only a information leak and limited so for me minor - it will be hard to fix (no upstream support EOL upstream) See https://lists.debian.org/debian-lts/2024/12/msg00078.html - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -83100,7 +83100,7 @@ CVE-2024-28752 (A SSRF vulnerability using the Aegis DataBinding in versions of CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache ZooKe ...) - zookeeper 3.9.2-1 (bug #1066947) [bookworm] - zookeeper <no-dsa> (Minor issue) - [bullseye] - zookeeper <no-dsa> (Minor issue) + [bullseye] - zookeeper <ignored> (Minor issue; hard to backport) NOTE: https://www.openwall.com/lists/oss-security/2024/03/14/2 NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-4799 NOTE: Fixed by: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d (release-3.8.4-0) @@ -83109,6 +83109,7 @@ CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache NOTE: See https://issues.apache.org/jira/browse/ZOOKEEPER-1416 NOTE: However, classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not NOTE: known in advance is not possible. Nevertheless classical watch leaks some information. + NOTE: LTS status see https://lists.debian.org/debian-lts/2024/12/msg00078.html CVE-2024-2746 (Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was t ...) NOT-FOR-US: dnf5daemon-server CVE-2024-1930 (No Limit on Number of Open Sessions / Bad Session Close Behaviour in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7c42da686d64884c84878398618435c95230a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7c42da686d64884c84878398618435c95230a5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
