kotlinx-atomicfu REMOVED from testing

[Debian testing watch]

FYI: The status of the kotlinx-atomicfu source package
in Debian's testing distribution has changed.

  Previous version: 0.11.12-2
  Current version:  (not in testing)
  Hint: 
# 1052383 in android-platform-tools

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl

[Markus Koschany]

Hello,

Am Samstag, dem 04.11.2023 um 17:03 + schrieb Adam D. Barratt:
> Source: jetty9
> Version: 9.4.50-4+deb10u1
> Severity: serious
> X-Debbugs-Cc: d...@debian.org
> 
> Hi,
> 
> Upgrading libjetty9-java and libjetty9-extra-java to the version from
> DLA 3641-1 reliably causes PuppetDB to fail to start, with the
> stacktrace shown below. Downgrading resolves the issue.
> 
> I'm not sure which keystore is being referred to, but none of the files
> listed in /etc/puppetdb/conf.d/jetty.ini appear to contain more than a
> single certificate.

thanks for the report. This looks like a bug in trapperkeeper-webserver-jetty9-
clojure to me. Upstream commit

https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/commit/3ee6a410436c1a236ca33d511c5373c3328054ef

appears to address the problem. The version in Buster lacks the
InternalSslContextFactory class though. Instead the deprecated
SslContextFactory class is referenced in jetty9_config.clj and
jetty9_core.clj. 

My first idea is to change SslContextFactory occurrences to
SslContextFactory.Server.

Backporting the version of trapperkeeper-webserver-jetty9-clojure from Bullseye
to Buster is the second one. AFAICS puppetdb and puppetserver are the only
consumers.

Could you install the version of trapperkeeper-webserver-jetty9-clojure from
Bullseye and reinstall the jetty9 security update and report back if this
solves your problem?

Regards,

Markus


signature.asc
Description: This is a digitally signed message part
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

kotlinx-coroutines REMOVED from testing

[Debian testing watch]

FYI: The status of the kotlinx-coroutines source package
in Debian's testing distribution has changed.

  Previous version: 1.0.1-2
  Current version:  (not in testing)
  Hint: 
# 1052383 in android-platform-tools

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

kotlin REMOVED from testing

[Debian testing watch]

FYI: The status of the kotlin source package
in Debian's testing distribution has changed.

  Previous version: 1.3.31+ds1-1
  Current version:  (not in testing)
  Hint: 
# 1052383 in android-platform-tools

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

libbeam-java 1.3.5-2 MIGRATED to testing

[Debian testing watch]

FYI: The status of the libbeam-java source package
in Debian's testing distribution has changed.

  Previous version: 1.3.3-3
  Current version:  1.3.5-2

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.ecl

[Adam D. Barratt]

Source: jetty9
Version: 9.4.50-4+deb10u1
Severity: serious
X-Debbugs-Cc: d...@debian.org

Hi,

Upgrading libjetty9-java and libjetty9-extra-java to the version from
DLA 3641-1 reliably causes PuppetDB to fail to start, with the
stacktrace shown below. Downgrading resolves the issue.

I'm not sure which keystore is being referred to, but none of the files
listed in /etc/puppetdb/conf.d/jetty.ini appear to contain more than a
single certificate.

Regards,

Adam

-- Logs begin at Sat 2023-11-04 14:52:45 UTC, end at Sat 2023-11-04 16:16:11 
UTC. --
Nov 04 14:52:50 handel systemd[1]: Started Puppet data warehouse server.
Nov 04 14:53:22 handel java[1669]: WARNING: boolean? already refers to: 
#'clojure.core/boolean? in namespace: puppetlabs.trapperkeeper.internal, being 
replaced by: #'puppetlabs.kitchensink.core/boolean?
Nov 04 14:53:32 handel java[1669]: 14:53:32.886 [main] DEBUG 
puppetlabs.puppetdb.http - The v1 API has been retired; please use v4 Caught 
HTTP processing exception
Nov 04 14:53:32 handel java[1669]: 14:53:32.898 [main] DEBUG 
puppetlabs.puppetdb.http - The v2 API has been retired; please use v4 Caught 
HTTP processing exception
Nov 04 14:53:32 handel java[1669]: 14:53:32.899 [main] DEBUG 
puppetlabs.puppetdb.http - The v3 API has been retired; please use v4 Caught 
HTTP processing exception
Nov 04 14:53:34 handel java[1669]: 14:53:34.073 [main] DEBUG 
puppetlabs.trapperkeeper.bootstrap - Loading bootstrap config from classpath: 
'jar:file:/usr/share/puppetdb/puppetdb.jar!/bootstrap.cfg'
Nov 04 14:53:39 handel java[1669]: Exception in thread "main" 
java.lang.IllegalStateException: KeyStores with multiple certificates are not 
supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1289)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1271)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:373)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:244)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:323)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.server.Server.doStart(Server.java:401)
Nov 04 14:53:39 handel java[1669]: at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Nov 04 14:53:39 handel java[1669]: at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Nov 04 14:53:39 handel java[1669]: at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Nov 04 14:53:39 handel java[1669]: at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Nov 04 14:53:39 handel java[1669]: at 
java.base/java.lang.reflect.Method.invoke(Method.java:566)
Nov 04 14:53:39 handel java[1669]: at 
clojure.lang.Reflector.invokeMatchingMethod(Reflector.java:167)
Nov 04 14:53:39 handel java[1669]: at 
clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:438)
Nov 04 14:53:39 handel java[1669]: at 
puppetlabs.trapperkeeper.services.webserver.jetty9_core$eval43528$start_webserver_BANG___43533$fn__43534$fn__43535.invoke(jetty9_core.clj:685)
Nov 04 14:53:39 handel java[1669]: at 

gradle-kotlin-dsl REMOVED from testing

[Debian testing watch]

FYI: The status of the gradle-kotlin-dsl source package
in Debian's testing distribution has changed.

  Previous version: 0.13.2-5
  Current version:  (not in testing)
  Hint: 
# 1052383 in android-platform-tools

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

xperia-flashtool REMOVED from testing

[Debian testing watch]

FYI: The status of the xperia-flashtool source package
in Debian's testing distribution has changed.

  Previous version: 0.9.34+ds-1
  Current version:  (not in testing)
  Hint: 
# 1052383 in android-platform-tools

The script that generates this mail tries to extract removal
reasons from comments in the britney hint files. Those comments
were not originally meant to be machine readable, so if the
reason for removing your package seems to be nonsense, it is
probably the reporting script that got confused. Please check the
actual hints file before you complain about meaningless removals.

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of filius_2.5.1+ds-1~bpo12+1_source.changes

[Debian FTP Masters]

filius_2.5.1+ds-1~bpo12+1_source.changes uploaded successfully to localhost
along with the files:
  filius_2.5.1+ds-1~bpo12+1.dsc
  filius_2.5.1+ds-1~bpo12+1.debian.tar.xz
  filius_2.5.1+ds-1~bpo12+1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

filius_2.5.1+ds-1~bpo12+1_source.changes ACCEPTED into stable-backports

[Debian FTP Masters]

Thank you for your contribution to Debian.

Mapping bookworm-backports to stable-backports.

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 04 Nov 2023 10:57:21 +0100
Source: filius
Architecture: source
Version: 2.5.1+ds-1~bpo12+1
Distribution: bookworm-backports
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Andreas B. Mundt 
Changes:
 filius (2.5.1+ds-1~bpo12+1) bookworm-backports; urgency=medium
 .
   * Rebuild for bookworm-backports.
 .
 filius (2.5.1+ds-1) unstable; urgency=medium
 .
   * New upstream version 2.5.1+ds.
   * Update patches, remove those applied upstream.
   * Update dependencies and adapt maven rules.
   * Rework package description.
   * Fix FTBFS: Patch exceptions back that have been removed upstream.
Checksums-Sha1:
 e0edc817da9cd5d3f095bf5cc6190c2cd1bdf30a 2414 filius_2.5.1+ds-1~bpo12+1.dsc
 a769d03866a88bc9f6202d39f895e15c1b6113f2 11776 
filius_2.5.1+ds-1~bpo12+1.debian.tar.xz
 e76c4b200b0d50e67706b17e7dbede373eaa91f6 14276 
filius_2.5.1+ds-1~bpo12+1_amd64.buildinfo
Checksums-Sha256:
 ec114c9ae73758a541084d88dcda914bcf42116868126eb471c8abc7d299b137 2414 
filius_2.5.1+ds-1~bpo12+1.dsc
 17258e21d29152e6c2bfccf206b39fe57820f0ea00aa8bf612d1b1e912ecaa11 11776 
filius_2.5.1+ds-1~bpo12+1.debian.tar.xz
 e1e34f3d06301454c398f9967a01df9d6c38d3779f9886b574c92ee3baf10004 14276 
filius_2.5.1+ds-1~bpo12+1_amd64.buildinfo
Files:
 c75dc1017f8335601b6063753aa76826 2414 java optional 
filius_2.5.1+ds-1~bpo12+1.dsc
 30f07f6dcecd2dd3828b491504dbc0db 11776 java optional 
filius_2.5.1+ds-1~bpo12+1.debian.tar.xz
 4afb29eb1272bb11291096078ab4455d 14276 java optional 
filius_2.5.1+ds-1~bpo12+1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEk4pc7h4pDeJV2ayYsB/qhGF7WG0FAmVGH+kACgkQsB/qhGF7
WG378hAAnGcwNvwCPWwgJzb/Ic4blzLjbeZsmhl5f5cVwZTHTsbdOf+2pAXP7EXN
85n6zf15YYzIAqn64vn0xkiSic3Rl1dRtbExdkcATXYB5KZJI9c4Ge8T9I+H2FS9
HBW1VEHLeIwpisESMODWuW4IcFe7q4HZlyG2YxypRKWPBBA2F+DRPqi9jcMW7Yoc
qFTTOF9/juWFsYnN/mDed+5B0E0Lu0eiDAQG65vyGb7RIAWbvJYkQm7G1hl4/iet
dS9TLwPwW6rN420XsZLx5tNaaOvNiFyIh6XhPPkZwv7Gs9UgpZ95b0b314xzahzb
0tVdbXgffzW8eT/XZYLxKpLc0RE+iqX09RIZJymOh4iS0FldAr57D+Py9WnDgM4S
Vj8UngDKofy0Cl8SXqJGN+t5043sXDxjoOnfjqvBBhDJ29F/QpKSWRjd4I3umC/H
mIcF8XHRs5dr62o0JgI2RqHeLHhjfnhP1zqxkq7njNkLwZliRU2jIkIepz8Ovk9u
4cq8knjIco5zg+6siEifRHTQPwVxhPx6VFZTkRmKEVi09Z9g/gnriiqYE00rGbVn
CQmEHHKvdThcJoKg/qkW9/W4Jfn+OThfONNk3cA9rbBPBERLRWP7VLn/yajwH/HR
2vf0waT1s3XierNwD84xu/PkpBeIDlHAenQW6iMM8anbetZpHWQ=
=4w3h
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

zookeeper_3.8.0-11+deb12u1_source.changes ACCEPTED into proposed-updates

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 29 Oct 2023 08:57:11 +0100
Source: zookeeper
Architecture: source
Version: 3.8.0-11+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Pierre Gruet 
Closes: 1054224
Changes:
 zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium
 .
   * Team upload:
 - CVE-2023-44981: Prevent a potential authorisation bypass vulnerability.
   If SASL Quorum Peer authentication was enabled (via
   quorum.auth.enableSasl), authorisation was performed by verifying that
   the instance part in the SASL authentication ID was listed in the zoo.cfg
   server list. However, this value is optional, and, if missing (such as in
   'e...@example.com'), the authorisation check will be skipped. As a 
result,
   an arbitrary endpoint could join the cluster and begin propagating
   counterfeit changes to the leader, essentially giving it complete
   read-write access to the data tree. (Closes: #1054224)
Checksums-Sha1:
 7fd7e9ee04fbcd149950e1b23f42547153db2593 3799 zookeeper_3.8.0-11+deb12u1.dsc
 c6556b6e4237f78955e3d8cd313d0ef04ed1b7e9 3485515 zookeeper_3.8.0.orig.tar.gz
 c2622953992c4495ac935662243a60c4e40d8828 488 zookeeper_3.8.0.orig.tar.gz.asc
 3376643eaea0466e1962182574b9e5ac4fbb93e6 92236 
zookeeper_3.8.0-11+deb12u1.debian.tar.xz
 95289d007c7d7cb8c6bdfde75cf05042b5d903f8 24524 
zookeeper_3.8.0-11+deb12u1_amd64.buildinfo
Checksums-Sha256:
 bf8164ee16a6ddad74de4fb04ef280236b71d0c95c17e1d30ea4c33054f171d2 3799 
zookeeper_3.8.0-11+deb12u1.dsc
 b0c5684640bea2d8bd6610b47ff41be2aefd6c910ba48fcad5949bd2bf2fa1ac 3485515 
zookeeper_3.8.0.orig.tar.gz
 22bd6c0fe38b3184cb2b7d5039392f7a63a506915b27a58328f1b4f9731ebfc3 488 
zookeeper_3.8.0.orig.tar.gz.asc
 616bb05b56538833276bff33a3275938296a370dce9d8ab4850b89db1becd81e 92236 
zookeeper_3.8.0-11+deb12u1.debian.tar.xz
 494a97f717c50f758545453a2e5bbe7decc89f76ca793607a3bb9e1034e5edca 24524 
zookeeper_3.8.0-11+deb12u1_amd64.buildinfo
Files:
 39bf8be6919f1c569213692db6891f4c 3799 java optional 
zookeeper_3.8.0-11+deb12u1.dsc
 dd50b329f3e17c03d2da8ed8497babb6 3485515 java optional 
zookeeper_3.8.0.orig.tar.gz
 0309b972507b7ef0f1851660618d090e 488 java optional 
zookeeper_3.8.0.orig.tar.gz.asc
 771e480f58cecf0e4667496a356d13b7 92236 java optional 
zookeeper_3.8.0-11+deb12u1.debian.tar.xz
 c1dc8b2ac51d557b5d687a1c7e3d23d1 24524 java optional 
zookeeper_3.8.0-11+deb12u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmU/tjUACgkQYAMWptwn
dHYrog/+O9u3ewUYJ6teyhRw2Niq/fdRlpmTGWpMmwYEMm2aWEVVFXjfx7hta7jv
aYc625o47UrRXDzNdxiiOJbzG8R2XGfk2YrDF2Zmr/OrmHL8xFuHwTd2zwM1DEuP
hsgnU3Uz57TUA/r/AIgTK8FraW7Tm/2+KQkzcYh5LFRG01bKd9nO4NBLB+7KosMa
ECluXB5IofVlXdEhIOL9NHLKhna2G7/3TdiyI18Ki9FVKtliFOmIQoX+ghy98GD+
Y+ZBazVrdK2qapeWm22eDTN/Wzh53rO5oKv7CkTLY1SvNbSn3RiuC6CDdS+ZJ+hW
NLDTWs9yiDUXAS/iu3uYuo3Is92pG8JUsJlKxLj+1dgyI8Jvei6hkG6+kTnWvaiU
xOFvhjEFGETYAUPhqVN9CokBLM3YwgH4AMV4vnKPq7qYbDZC14qfg7bv+cGYAe4w
552op9ZHxu9ikXsc2M6KPTzTzCer5zP/6zKb6aypyMu3uyvZT6RUY6TvRVfxAbw2
wGbJURNlHhRWRPiogpSDeIx56dDoyZPvDwxsOuKJTIxEKXR/VZMoBrPwVg/svG78
VFWeYN9B79Hi4NiwPitXqy9pEBKMWRALl7YnEX7EkejlqSU4oPbHHC0Whogu1B7A
T08MYinkvhmccaGAkf06qSjv8/e1pSRjBBwuun1i9FJuexBEQgY=
=KQ83
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

jetty9_9.4.50-4+deb12u2_source.changes ACCEPTED into proposed-updates

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 30 Oct 2023 00:30:15 CET
Source: jetty9
Architecture: source
Version: 9.4.50-4+deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Checksums-Sha1:
 2fa634ac200f34079b9e0e05b2ed7256f016285f 2836 jetty9_9.4.50-4+deb12u2.dsc
 9bb22cdbbbd6ae4bc26e17ade6996106bd76a8e4 81324 
jetty9_9.4.50-4+deb12u2.debian.tar.xz
 4c7fe10326d66f758662f0084e7c86b98f23d001 19078 
jetty9_9.4.50-4+deb12u2_amd64.buildinfo
Checksums-Sha256:
 68ba1c4e001145d096f1451c910bc0dcb605272ef57e5f112be83804502d5423 2836 
jetty9_9.4.50-4+deb12u2.dsc
 9074d4c3758e9866cb175f7941fecfa21a274dbcee336e3a7d8e2ef841aa86d6 81324 
jetty9_9.4.50-4+deb12u2.debian.tar.xz
 3f34327f8ef043d6a1ab9d4c39fe123ee10141f9f04c948df169f1bc279d8bff 19078 
jetty9_9.4.50-4+deb12u2_amd64.buildinfo
Changes:
 jetty9 (9.4.50-4+deb12u2) bookworm-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2023-36478 and CVE-2023-44487:
 Two remotely exploitable security vulnerabilities were discovered in Jetty
 9, a Java based web server and servlet engine. The HTTP/2 protocol
 implementation did not sufficiently verify if HPACK header values exceed
 their size limit. Furthermore the HTTP/2 protocol allowed a denial of
 service (server resource consumption) because request cancellation can
 reset many streams quickly. This problem is also known as Rapid Reset
 Attack.
Files:
 b4194daa34e0120c9160babaf39a28be 2836 java optional jetty9_9.4.50-4+deb12u2.dsc
 871f1f6bf5c59bb1ce97ce32e903d8a9 81324 java optional 
jetty9_9.4.50-4+deb12u2.debian.tar.xz
 b9bcec8fc656ee3d4f589a6b7642e267 19078 java optional 
jetty9_9.4.50-4+deb12u2_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmU+63NfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkr2MP/3nzzY4ituvas6qvRiMkQaMB4PcZamqhH+8W
Tt44x82wf4VinGZwK9rk+upz/7v2gjuNi87dzy1EKxpcH3zh8wavoN2D6kA59bpp
pptGif3IPda/Amjv5oCDiaYAE1OD2N52O+Z8OdZvO4GDbt4fC9yJ/3Vq6ZDr0Nle
a+TXJA1IY6T8Fkh8ODE7s4Do/VBOY7759GPH7SoVWsG9TiKdHLm6ITkth/Qr3F/4
JWUjBq4sELOGNAAG04ChGoclr6Xm86UTLifdAZsiGU4q4I5j+pJrOL4wY5Fh4Rge
iGsP8cHxE9SPDFIbkJHA0pyysEBfmnH2HNDXHEVVlYNOsedSw+EqScMWSiU7IwDy
QAl93TG3JFJzia3218NVT3OEitx9JqXo+SoX1a/EqXiHkRp4YdungD+jHfK01PcZ
njnCOxmmkDIS1EhqlnyK6ffE4VSr4z9yg3RMrJ1dr7etwlsK7W+Z9n+Gdr4gIeu/
fnVbhgzgGQ+Pl9ga2ByFqS3Bj2bMsMTFC4kCto7yrod5O9f69Uhv3VsZl+30eieV
ClPbPb69Gb1YSNz8J5+Zyv6Cg4M59kUOzsbWXRrntpMhbAA9Txn2jiXv2STWLRzF
WvKXI2E6dutD4UORdGubtRzWpeS8oywIZCA/RE1ofypMicc3BBKwAjkoeeClETRW
5t39CTJK
=tsXX
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

zookeeper_3.4.13-6+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 28 Oct 2023 23:16:44 +0200
Source: zookeeper
Architecture: source
Version: 3.4.13-6+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Pierre Gruet 
Closes: 1054224
Changes:
 zookeeper (3.4.13-6+deb11u1) bullseye-security; urgency=medium
 .
   * Team upload:
 - CVE-2023-44981: Prevent a potential authorisation bypass vulnerability.
   If SASL Quorum Peer authentication was enabled (via
   quorum.auth.enableSasl), authorisation was performed by verifying that
   the instance part in the SASL authentication ID was listed in the zoo.cfg
   server list. However, this value is optional, and, if missing (such as in
   'e...@example.com'), the authorisation check will be skipped. As a 
result,
   an arbitrary endpoint could join the cluster and begin propagating
   counterfeit changes to the leader, essentially giving it complete
   read-write access to the data tree. (Closes: #1054224)
Checksums-Sha1:
 cd54ff6306b6f2053cfb4020a9159d1aa1624059 3041 zookeeper_3.4.13-6+deb11u1.dsc
 8d1fed2574e8645060154fcffdf7918ea5858377 1970528 zookeeper_3.4.13.orig.tar.xz
 b650c655fd9b27811042e89fd48816a5fe08272d 63300 
zookeeper_3.4.13-6+deb11u1.debian.tar.xz
 fdebce856845a509f7097da27586d02a58cecffe 19074 
zookeeper_3.4.13-6+deb11u1_amd64.buildinfo
Checksums-Sha256:
 4c871960c79a09b9bbee6ef720deefb83a6be56414e23c5f77e18edadee04529 3041 
zookeeper_3.4.13-6+deb11u1.dsc
 4f303a575a3e981d5ef8fe43a4fec157f320841a502eff96ae7cda902c278d2f 1970528 
zookeeper_3.4.13.orig.tar.xz
 ea9f1710fce0a0f9913d0fb814d096d8805dab70fece5b087893be2a5c11e94e 63300 
zookeeper_3.4.13-6+deb11u1.debian.tar.xz
 83b9c92db65d92eab232871e6189c971264765d304120d1c6efd9a8a3be341ae 19074 
zookeeper_3.4.13-6+deb11u1_amd64.buildinfo
Files:
 4aea6814b61fd728b90990f2d86467b1 3041 java optional 
zookeeper_3.4.13-6+deb11u1.dsc
 a9fc5be7cbdeef5fb41bb87d58ce41bd 1970528 java optional 
zookeeper_3.4.13.orig.tar.xz
 0304ab044c5a96385ea1544f4d2ffabc 63300 java optional 
zookeeper_3.4.13-6+deb11u1.debian.tar.xz
 6b7810d9a65d8bd8d8ff367fe53bdff7 19074 java optional 
zookeeper_3.4.13-6+deb11u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmU/tiYACgkQYAMWptwn
dHbFpxAAqjdkZM/UnHXcJ1heimeWZmGVBx1eJGAB2tec7aLsL3YWmP99sQuD18LN
FgaEIOj+54LaFxLyPAup0paCGoDH4kAXEYWWtyjaSX/+oCvOq8UCB0XxBaExs3q1
B0g5KMi2pL4WiK/WKee62PSRGSEVFiYDkuAqIElVK+19EwUotDxHDVZUU2bjNpsi
lkj6vGWU+5Whosk2JaIr6ixejMKBHDA6bYA++xnpO0SQuAekaWyqMXyAnkPJvOiw
octHwUgltAgBL0x6mwSsoa6J+09AxEY8MoDDUzegloDJ067a2dAOVK6N0JSQ0WHL
EhM2RjlaqczVs01EACToyHp/G5OdKuwErbkCHI/xSxMqJgVcnmj9S93fKsHoKcoO
aqJeDgTfRtFAx5c477vVzGBtIe87wFq6RWbs7pNM1vY+V7rbYMPkpvcOHfmkEDra
gjJ7Uc7McpUv3s6WdVdrh0uINiVH1RcZNhyZajyjw2lP4qCXU9ohXBtQXEpRklkq
RyZ/mozw1KpfXCROlrctf3pAeogIOt+dAtX7FqTVE8y//yJiDOe1lIzk+Lw4B6lm
sBKGuraMR4roCVXpfAVwj3E1tnHmtjjnDBRLgMG0pRo4YbmNGCMckQIbik20dyR5
WXNIMsTNnEFaVgyAFPY3J5yYMiihMho50f5VLp5kSOaDLBgUqus=
=CYax
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

jetty9_9.4.50-4+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 30 Oct 2023 16:10:27 CET
Source: jetty9
Architecture: source
Version: 9.4.50-4+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Checksums-Sha1:
 24b2735b16572005b44a8fb776ba2dfaa94aff01 2836 jetty9_9.4.50-4+deb11u1.dsc
 07878463bce25adeade6989ca81ecd90d687cdfa 81368 
jetty9_9.4.50-4+deb11u1.debian.tar.xz
 d00661679e93092c113c95c63738f50cdfa524da 18271 
jetty9_9.4.50-4+deb11u1_amd64.buildinfo
Checksums-Sha256:
 894175c2fcef55b984adbfa024950ecdbf15b19d436df646d76a4e76b459e171 2836 
jetty9_9.4.50-4+deb11u1.dsc
 4c76673802a752af1f7a23610006ea11171de20588e68e865f51da744b7ffd37 81368 
jetty9_9.4.50-4+deb11u1.debian.tar.xz
 0bac2102cdebf062c3d575aa5af7af5dc9702cb4a8286bfdeb40eb8a9cee1ca7 18271 
jetty9_9.4.50-4+deb11u1_amd64.buildinfo
Changes:
 jetty9 (9.4.50-4+deb11u1) bullseye-security; urgency=high
 .
   * Team upload.
   * Backport Jetty 9 version from Bookworm.
   * Fix CVE-2023-36478 and CVE-2023-44487:
 Two remotely exploitable security vulnerabilities were discovered in Jetty
 9, a Java based web server and servlet engine. The HTTP/2 protocol
 implementation did not sufficiently verify if HPACK header values exceed
 their size limit. Furthermore the HTTP/2 protocol allowed a denial of
 service (server resource consumption) because request cancellation can
 reset many streams quickly. This problem is also known as Rapid Reset
 Attack.
Files:
 feb19c9542e4eceffbf461bac0a8178b 2836 java optional jetty9_9.4.50-4+deb11u1.dsc
 ba6c4b895d9e0d3442353390d99c11ef 81368 java optional 
jetty9_9.4.50-4+deb11u1.debian.tar.xz
 6e62c739bc42ba52b6b31741974f8916 18271 java optional 
jetty9_9.4.50-4+deb11u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmU/ygJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkfeUQALmCAKJPFsvsuEXsWgeOY+SCWdg7xAFpkS4t
5H6W/SSlVTFgvIPE31iAU3yCs1RHwlgA0j5WE+Uwr49woAgfxnciL+qj/4iY32Qo
e8wqKr8zZAMwG1gbKQH1sTxwuwyM+FZnZamqsbzZWy2AZNC3XRBxraT9SbrZcEvy
x934k0bK50tv0lJ7Yhh90fco08YnIqWccC0T4jreIyK0Oxp0YzAYlpZp8TEdIwbq
ryokAPZYqTrz2RzkLjJSEaWc642fhANyxOjPztYB9q0lB7bpNGBHBsMrrI8c35D2
kXqzm7WJAWXHs+ZRz1FqMZhnWA2tnptMqLNuWKhcP6AXcn3rWTmaMKir+moJPA84
TAdruVssZiMAU2dv0To0Twq01Myh+SeonI/lV3DhG+s9vQ7cZI79y+T9iMxWCHy2
2TxvD2OCho5S9bALMg/HEaPKuWq+V0ZzzBzJU77aQHji9XtkadkdOkhHJMw3UEMR
THwzbsdPUjICEWiufZOPHi1F/obzzXVBWCEPWs9X9slnWaHLiGQFoRGJfu1dOC+U
093XIv3U+lTO/052C1xyvHFV4NvGD2iY6poUekSB3qD2SSeNBdq6Fb6h7Pn8o/4z
sagqKUnM+MJ53qWZfHOg2tM5ltQ9VKVnJPJqMI/GELy5ZenhMO5LtMQxkIwYVOgI
rYgavj9f
=+e8r
-END PGP SIGNATURE-


__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#1054224: marked as done (zookeeper: CVE-2023-44981)

[Debian Bug Tracking System]

Your message dated Sat, 04 Nov 2023 12:49:14 +
with message-id 
and subject line Bug#1054224: fixed in zookeeper 3.4.13-6+deb11u1
has caused the Debian Bug report #1054224,
regarding zookeeper: CVE-2023-44981
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054224
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: zookeeper
Version: 3.8.0-11
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 3.4.13-6

Hi,

The following vulnerability was published for zookeeper.

CVE-2023-44981[0]:
| Authorization Bypass Through User-Controlled Key vulnerability in
| Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in
| ZooKeeper (quorum.auth.enableSasl=true), the authorization is done
| by verifying that the instance part in SASL authentication ID is
| listed in zoo.cfg server list. The instance part in SASL auth ID is
| optional and if it's missing, like 'e...@example.com', the
| authorization check will be skipped. As a result an arbitrary
| endpoint could join the cluster and begin propagating counterfeit
| changes to the leader, essentially giving it complete read-write
| access to the data tree. Quorum Peer authentication is not enabled
| by default.  Users are recommended to upgrade to version 3.9.1,
| 3.8.3, 3.7.2, which fixes the issue.  Alternately ensure the
| ensemble election/quorum communication is protected by a firewall as
| this will mitigate the issue.  See the documentation for more
| details on correct cluster administration.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44981
https://www.cve.org/CVERecord?id=CVE-2023-44981
[1] https://www.openwall.com/lists/oss-security/2023/10/11/4
[2] 
https://github.com/apache/zookeeper/commit/96b3172ca249a8580e9a315d589d319286cee4ee

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.4.13-6+deb11u1
Done: Pierre Gruet 

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Gruet  (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 28 Oct 2023 23:16:44 +0200
Source: zookeeper
Architecture: source
Version: 3.4.13-6+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Pierre Gruet 
Closes: 1054224
Changes:
 zookeeper (3.4.13-6+deb11u1) bullseye-security; urgency=medium
 .
   * Team upload:
 - CVE-2023-44981: Prevent a potential authorisation bypass vulnerability.
   If SASL Quorum Peer authentication was enabled (via
   quorum.auth.enableSasl), authorisation was performed by verifying that
   the instance part in the SASL authentication ID was listed in the zoo.cfg
   server list. However, this value is optional, and, if missing (such as in
   'e...@example.com'), the authorisation check will be skipped. As a 
result,
   an arbitrary endpoint could join the cluster and begin propagating
   counterfeit changes to the leader, essentially giving it complete
   read-write access to the data tree. (Closes: #1054224)
Checksums-Sha1:
 cd54ff6306b6f2053cfb4020a9159d1aa1624059 3041 zookeeper_3.4.13-6+deb11u1.dsc
 8d1fed2574e8645060154fcffdf7918ea5858377 1970528 zookeeper_3.4.13.orig.tar.xz
 b650c655fd9b27811042e89fd48816a5fe08272d 63300 
zookeeper_3.4.13-6+deb11u1.debian.tar.xz
 fdebce856845a509f7097da27586d02a58cecffe 19074 
zookeeper_3.4.13-6+deb11u1_amd64.buildinfo
Checksums-Sha256:
 4c871960c79a09b9bbee6ef720deefb83a6be56414e23c5f77e18edadee04529 3041 
zookeeper_3.4.13-6+deb11u1.dsc
 4f303a575a3e981d5ef8fe43a4fec157f320841a502eff96ae7cda902c278d2f 1970528 
zookeeper_3.4.13.orig.tar.xz
 

Bug#1054224: marked as done (zookeeper: CVE-2023-44981)

[Debian Bug Tracking System]

Your message dated Sat, 04 Nov 2023 12:47:39 +
with message-id 
and subject line Bug#1054224: fixed in zookeeper 3.8.0-11+deb12u1
has caused the Debian Bug report #1054224,
regarding zookeeper: CVE-2023-44981
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054224
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: zookeeper
Version: 3.8.0-11
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 3.4.13-6

Hi,

The following vulnerability was published for zookeeper.

CVE-2023-44981[0]:
| Authorization Bypass Through User-Controlled Key vulnerability in
| Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in
| ZooKeeper (quorum.auth.enableSasl=true), the authorization is done
| by verifying that the instance part in SASL authentication ID is
| listed in zoo.cfg server list. The instance part in SASL auth ID is
| optional and if it's missing, like 'e...@example.com', the
| authorization check will be skipped. As a result an arbitrary
| endpoint could join the cluster and begin propagating counterfeit
| changes to the leader, essentially giving it complete read-write
| access to the data tree. Quorum Peer authentication is not enabled
| by default.  Users are recommended to upgrade to version 3.9.1,
| 3.8.3, 3.7.2, which fixes the issue.  Alternately ensure the
| ensemble election/quorum communication is protected by a firewall as
| this will mitigate the issue.  See the documentation for more
| details on correct cluster administration.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44981
https://www.cve.org/CVERecord?id=CVE-2023-44981
[1] https://www.openwall.com/lists/oss-security/2023/10/11/4
[2] 
https://github.com/apache/zookeeper/commit/96b3172ca249a8580e9a315d589d319286cee4ee

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.8.0-11+deb12u1
Done: Pierre Gruet 

We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Gruet  (supplier of updated zookeeper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 29 Oct 2023 08:57:11 +0100
Source: zookeeper
Architecture: source
Version: 3.8.0-11+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: Pierre Gruet 
Closes: 1054224
Changes:
 zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium
 .
   * Team upload:
 - CVE-2023-44981: Prevent a potential authorisation bypass vulnerability.
   If SASL Quorum Peer authentication was enabled (via
   quorum.auth.enableSasl), authorisation was performed by verifying that
   the instance part in the SASL authentication ID was listed in the zoo.cfg
   server list. However, this value is optional, and, if missing (such as in
   'e...@example.com'), the authorisation check will be skipped. As a 
result,
   an arbitrary endpoint could join the cluster and begin propagating
   counterfeit changes to the leader, essentially giving it complete
   read-write access to the data tree. (Closes: #1054224)
Checksums-Sha1:
 7fd7e9ee04fbcd149950e1b23f42547153db2593 3799 zookeeper_3.8.0-11+deb12u1.dsc
 c6556b6e4237f78955e3d8cd313d0ef04ed1b7e9 3485515 zookeeper_3.8.0.orig.tar.gz
 c2622953992c4495ac935662243a60c4e40d8828 488 zookeeper_3.8.0.orig.tar.gz.asc
 3376643eaea0466e1962182574b9e5ac4fbb93e6 92236 
zookeeper_3.8.0-11+deb12u1.debian.tar.xz
 95289d007c7d7cb8c6bdfde75cf05042b5d903f8 24524 
zookeeper_3.8.0-11+deb12u1_amd64.buildinfo
Checksums-Sha256:
 bf8164ee16a6ddad74de4fb04ef280236b71d0c95c17e1d30ea4c33054f171d2 3799 
zookeeper_3.8.0-11+deb12u1.dsc
 b0c5684640bea2d8bd6610b47ff41be2aefd6c910ba48fcad5949bd2bf2fa1ac 3485515