On Sun, Jun 27, 2021 at 03:12:35PM +0200, Christoph Anton Mitterer wrote: > On Sun, 2021-06-27 at 14:46 +0200, Salvatore Bonaccorso wrote: > > To me this looks like CVEs in other products, but which zookeeper > > uses > > as dependency? Is this correct? > > Indeed, but I couldn't find that the zookeeper package depends on these > while it does contain: > zookeeper-3.4.13/src$ find . -iname "*nett*" > ./java/main/org/apache/zookeeper/server/NettyServerCnxnFactory.java > ./java/main/org/apache/zookeeper/server/NettyServerCnxn.java > ./java/test/org/apache/zookeeper/server/NettyServerCnxnTest.java > ./java/test/org/apache/zookeeper/test/NioNettySuiteTest.java > ./java/test/org/apache/zookeeper/test/NioNettySuiteHammerTest.java > ./java/test/org/apache/zookeeper/test/NioNettySuiteBase.java > > > ... so I figured these might still be affected?
The Debian package disables building against Netty via this patch: https://salsa.debian.org/java-team/zookeeper/-/blob/master/debian/patches/13-disable-netty-connection-factory.patch > And apart from that... if they apparently don't support older versions > anymore, we'd like not even notice should these contain any security > issues. This is certainly a valid point. There is not time to change the situation for bullseye aside from filing an RM bug to prevent the package from shipping with the release. That would impact transitive dependencies of which I believe activemq is the most significant. As an aside, I took a quick look at the latest upstream activemq source release (https://activemq.apache.org/activemq-5016002-release) and it specifies zookeeper 3.4.14 in its pom.xml (which makes me feel a little better). We can work on addressing the situation in bookworm. (One idea I would propose is paring down the package to build just libzookeeper-java, because I imagine that many people use the Debian package to run their ZooKeeper ensembles, although maybe that's not true.) Help is always appreciated. Cheers, tony
signature.asc
Description: PGP signature
