Your message dated Sun, 24 Mar 2024 23:36:12 +0000
with message-id <[email protected]>
and subject line Bug#1066947: fixed in zookeeper 3.9.2-1
has caused the Debian Bug report #1066947,
regarding zookeeper: CVE-2024-23944
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1066947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066947
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zookeeper
Version: 3.9.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for zookeeper.
CVE-2024-23944[0]:
| Information disclosure in persistent watchers handling in Apache
| ZooKeeper due to missing ACL check. It allows an attacker to monitor
| child znodes by attaching a persistent watcher (addWatch command) to
| a parent which the attacker has already access to. ZooKeeper server
| doesn't do ACL check when the persistent watcher is triggered and as
| a consequence, the full path of znodes that a watch event gets
| triggered upon is exposed to the owner of the watcher. It's
| important to note that only the path is exposed by this
| vulnerability, not the data of znode, but since znode path can
| contain sensitive information like user name or login ID, this issue
| is potentially critical. Users are recommended to upgrade to
| version 3.9.2, 3.8.4 which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-23944
https://www.cve.org/CVERecord?id=CVE-2024-23944
[1] https://www.openwall.com/lists/oss-security/2024/03/14/2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.9.2-1
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated zookeeper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Mar 2024 21:19:51 +0000
Source: zookeeper
Architecture: source
Version: 3.9.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1025042 1066947
Changes:
zookeeper (3.9.2-1) unstable; urgency=medium
.
* Team upload
* New upstream version 3.9.2
* Bug fix: CVE-2024-23944 (Closes: #1066947):
An information disclosure in persistent watchers handling was found in
Apache ZooKeeper due to missing ACL check. It allows an attacker to
monitor child znodes by attaching a persistent watcher (addWatch
command) to a parent which the attacker has already access
to. ZooKeeper server doesn't do ACL check when the persistent watcher
is triggered and as a consequence, the full path of znodes that a
watch event gets triggered upon is exposed to the owner of the
watcher. It's important to note that only the path is exposed by this
vulnerability, not the data of znode, but since znode path can contain
sensitive information like user name or login ID, this issue is
potentially critical.
* Let sysvinit init script depend on networking (Closes: #1025042)
* Add salsa CI
* Refresh patches
Checksums-Sha1:
3c11da7860b08d7d6b1aa02edd5724cc8ee5023d 3788 zookeeper_3.9.2-1.dsc
3a4467abfa2401af9a5edd259b52e5bdb86190e1 4684368 zookeeper_3.9.2.orig.tar.gz
86d0c7e6ea1c2a06ac434613427934d9e07000ad 833 zookeeper_3.9.2.orig.tar.gz.asc
f0f2832dab05a8332fe6271b1ae0830882edc599 90740 zookeeper_3.9.2-1.debian.tar.xz
7e8adca2febc5790177093d17c57a1ab7ce63bf9 24964
zookeeper_3.9.2-1_amd64.buildinfo
Checksums-Sha256:
78cba7d05dec290e24b74f7349491232fedb585ae264185610bd6e4d703cb582 3788
zookeeper_3.9.2-1.dsc
bbdea19a91d11bc55071fdd7c83109afb6ee791a7b0733fde0baaa44029cbd77 4684368
zookeeper_3.9.2.orig.tar.gz
91572bf432f38cf5c4eb4570a79cbc9809963f961f1d6278360e86d3ae4c32e0 833
zookeeper_3.9.2.orig.tar.gz.asc
2d53d059e8a36d510c57d9c54c6b093b0f7e6b015e4fce4878f701b7883279b0 90740
zookeeper_3.9.2-1.debian.tar.xz
db1e8b2985dc3e94a46bfbab463891d7054f224f6dab3493e8138d91607fc716 24964
zookeeper_3.9.2-1_amd64.buildinfo
Files:
4787cb5820f605db03dea0be53a237f7 3788 java optional zookeeper_3.9.2-1.dsc
e75afdf8f4f4da2ea5c861ba9e9448a8 4684368 java optional
zookeeper_3.9.2.orig.tar.gz
376fb556cb78dd3b9891384275776efb 833 java optional
zookeeper_3.9.2.orig.tar.gz.asc
5efcee1c0532665292233a2df907b21f 90740 java optional
zookeeper_3.9.2-1.debian.tar.xz
fc91796959d0c387650d9ded00a539cb 24964 java optional
zookeeper_3.9.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmYAo8MRHHJvdWNhQGRl
Ymlhbi5vcmcACgkQADoaLapBCF9j7Q/+KxQlu8DhAMx50G9gPPt4giIGayBDzLe/
F/AD+IVUoUQrRQA+TSKe08B40k6uUBeoySkk0sWxRHedVVB+ySs9mRTeePDw0+kR
LlddjdoJgR3hGExE5arxrPfl58lOUJaaZvC8TTUn38Mx7wms6tgykQRKh+cVATmB
PaLynLQg2zj0/tK7bVOM2GU7si6rpGv2mVEv4Qz+GcoMKCtHvt1FxhCMfnKsbl6f
4FtpcsHStb/wmT2IpAb4EktFiEoyZ+dL2eKuuB7JUHNtpEgGr4OhqQWZdK58+/OE
rfSM/EClZ0yubkuSlKYN7r7B49p1BjF8jdSvIaFp/LF7seRpYKEF9dUZajhcctla
qCm99ndNROkeLb0X6XjHQE0df5EYN6CyQFz1yScXAgiYQSUYwgsd6ihKJjOrRR0e
3U4HkmT+OOb0I18GW5Gj3sQlCEvhqe5nPeGSlS1XAXq81EMQmeIamiEda7KXkyH3
2r2/cGMpTQ6CULynj8juJjrBZzu8Toaupry1YX8j3TB/AxMzuz5XhVgCKtV3gTvc
Yi/1V4tsMbjTMYqS3ojYZ9sxx5vAA457HDuAjvUBNrOxUCs/3Jb+7bTsyr/EJI/1
xgJBhkm9i3H4wYFnnyB9fRHFkd8ftakgmE2KViKe60aQFDQ/h+9SX80eOnvF/geZ
SKMhB3qud3w=
=eFEm
-----END PGP SIGNATURE-----
pgp1UgLnf1KiW.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
