I have a patch for https://issues.apache.org/jira/browse/ZOOKEEPER-2693 (pull request 179 <https://github.com/apache/zookeeper/pull/179>). Feedback will be highly appreciated. It would be good that we can get this in a few days as it is both a security fix and a blocker for two ongoing releases (3.4.10/3.5.3).
On Mon, Feb 13, 2017 at 7:37 PM, Patrick Hunt <ph...@apache.org> wrote: > Hi folks. The following exploit was recently published on the web and has > come to our attention, it details a ZooKeeper DOS attack against certain > four letter words (4lw), possible when the client port is exposed to > untrusted actors: > > https://webcache.googleusercontent.com/search? > q=cache:_CNGIz10PRYJ:https:// > www.exploit-db.com/exploits/41277/+&cd=14&hl=en&ct=clnk&gl=us > > Typically we address security issues on the security@ private mailing > list, > publishing a fixed release before publicly releasing the exploit, however > in this case given the information is publicly available already we decided > there's little point to keeping it on security@ exclusively. > http://zookeeper.apache.org/security.html > > A JIRA has been created to track this issue: > https://issues.apache.org/jira/browse/ZOOKEEPER-2693 > we expect to include a patch to address in 3.4.10 and 3.5.3. > > Patrick > -- Cheers Michael.
