Bug#863811: CVE-2017-5637

[Moritz Mühlenhoff]

On Thu, Jun 01, 2017 at 08:17:21AM -0700, tony mancill wrote:
> On Wed, May 31, 2017 at 02:45:18PM +0200, Moritz Muehlenhoff wrote:
> > Source: zookeeper
> > Severity: grave
> > Tags: security
> > 
> > Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> > 
> > Fix is referenced here: https://github.com/apache/zookeeper/pull/183
> > 
> > I'm also attaching the debdiff I'll be using for jessie for reference.
> 
> Hello Moritz,
> 
> Thank you (as always) for your work on security.  I can prepare the
> upload to unstable.  Do you have a recommendation for how we should
> approach the fix in stretch given the timing of the release?  Should the
> upload perhaps be prepared for stretch-security?

I think it's best if you prepare a 3.4.9-3 upload with only the security
fix and ask for an unblock by filing a bug against release.debian.org

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#863811: CVE-2017-5637

[tony mancill]

On Wed, May 31, 2017 at 02:45:18PM +0200, Moritz Muehlenhoff wrote:
> Source: zookeeper
> Severity: grave
> Tags: security
> 
> Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693
> 
> Fix is referenced here: https://github.com/apache/zookeeper/pull/183
> 
> I'm also attaching the debdiff I'll be using for jessie for reference.

Hello Moritz,

Thank you (as always) for your work on security.  I can prepare the
upload to unstable.  Do you have a recommendation for how we should
approach the fix in stretch given the timing of the release?  Should the
upload perhaps be prepared for stretch-security?

Thank you,
tony


signature.asc
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#863811: CVE-2017-5637

[Moritz Muehlenhoff]

Source: zookeeper
Severity: grave
Tags: security

Please see https://issues.apache.org/jira/browse/ZOOKEEPER-2693

Fix is referenced here: https://github.com/apache/zookeeper/pull/183

I'm also attaching the debdiff I'll be using for jessie for reference.

Cheers,
Moritz

diff -Nru zookeeper-3.4.5+dfsg/debian/changelog 
zookeeper-3.4.5+dfsg/debian/changelog
--- zookeeper-3.4.5+dfsg/debian/changelog   2016-10-01 20:02:51.0 
+0200
+++ zookeeper-3.4.5+dfsg/debian/changelog   2017-05-31 11:29:29.0 
+0200
@@ -1,3 +1,9 @@
+zookeeper (3.4.5+dfsg-2+deb8u2) jessie-security; urgency=medium
+
+  * CVE-2017-5637
+
+ -- Moritz Mühlenhoff   Wed, 31 May 2017 11:28:54 +0200
+
 zookeeper (3.4.5+dfsg-2+deb8u1) jessie; urgency=high
 
   * Team upload.
diff -Nru zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch 
zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch
--- zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch 1970-01-01 
01:00:00.0 +0100
+++ zookeeper-3.4.5+dfsg/debian/patches/CVE-2017-5637.patch 2017-05-31 
11:28:32.0 +0200
@@ -0,0 +1,593 @@
+From 835377f0e1cd215e791ed29c0bcff95e625f299c Mon Sep 17 00:00:00 2001
+From: Michael Han 
+Date: Tue, 7 Mar 2017 17:34:34 +0530
+Subject: [PATCH] ZOOKEEPER-2693: DOS attack on wchp/wchc four letter words
+ (4lw)
+
+Similar as pull request 179, this PR introduces new property 
zookeeper.4lw.commands.whitelist to branch-3.4.
+Unlike branch-3.5 where all 4lw (with few exceptions) is disabled by default, 
for branch-3.4 only "wchp" and "wchc" are disabled by default - since 4lw is 
widely used and there is no alternatives in branch-3.4 so we just disable the 
exploitable ones.
+
+Author: Michael Han 
+
+Reviewers: Rakesh Radhakrishnan 
+
+Closes #183 from hanm/ZOOKEEPER-2693-br-3.4 and squashes the following commits:
+
+d060ddc [Michael Han] update doc.
+2ce4ebd [Michael Han] ZOOKEEPER-2693: DOS attack on wchp/wchc four letter 
words (4lw). Initial commit for branch-3.4.
+---
+ .../documentation/content/xdocs/zookeeperAdmin.xml |  44 
+ .../org/apache/zookeeper/server/NIOServerCnxn.java |  33 ++-
+ .../apache/zookeeper/server/NettyServerCnxn.java   |  32 ++-
+ .../org/apache/zookeeper/server/ServerCnxn.java|  94 +++-
+ src/java/test/org/apache/zookeeper/ZKTestCase.java |   4 +
+ .../test/FourLetterWordsWhiteListTest.java | 252 +
+ 6 files changed, 449 insertions(+), 10 deletions(-)
+ create mode 100644 
src/java/test/org/apache/zookeeper/test/FourLetterWordsWhiteListTest.java
+
+diff --git a/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml 
b/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
+index 5aefa9a11..fb00fae24 100644
+--- a/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
 b/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
+@@ -1042,6 +1042,40 @@ server.3=zoo3:2888:3888
+   
+ 
+   
++
++  
++4lw.commands.whitelist
++
++
++  (Java system property: zookeeper.4lw.commands.whitelist)
++
++  New in 3.4.10:
++This property contains a list of comma separated
++Four Letter Words commands. It 
is introduced
++to provide fine grained control over the set of commands 
ZooKeeper can execute,
++so users can turn off certain commands if necessary.
++By default it contains all supported four letter word 
commands except "wchp" and "wchc",
++if the property is not specified. If the property is 
specified, then only commands listed
++in the whitelist are enabled.
++  
++
++  Here's an example of the configuration that enables stat, 
ruok, conf, and isro
++command while disabling the rest of Four Letter Words 
command:
++  
++4lw.commands.whitelist=stat, ruok, conf, isro
++  
++
++  Users can also use asterisk option so they don't have to 
include every command one by one in the list.
++As an example, this will enable all four letter word commands:
++  
++  
++4lw.commands.whitelist=*
++  
++
++
++  
++
+ 
+ 
+   
+@@ -1667,6 +1701,16 @@ imok
+ usage limit that would cause the system to swap.
+   
+ 
++
++
++  Publicly accessible deployment
++  
++
++  A ZooKeeper ensemble is expected to operate in a trusted 
computing environment.
++  It is thus recommended to deploy ZooKeeper behind a firewall.
++
++  
++
+   
+ 
+ 
+diff --git a/src/java/main/org/apache/zookeeper/server/NIOServerCnxn.java