Your message dated Wed, 13 Nov 2024 19:54:04 +0000
with message-id <e1tbjre-00cl2y...@fasolo.debian.org>
and subject line Bug#1087275: fixed in zookeeper 3.9.3-1
has caused the Debian Bug report #1087275,
regarding zookeeper: CVE-2024-51504
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1087275: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087275
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: zookeeper
Version: 3.9.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for zookeeper.
CVE-2024-51504[0]:
| When using IPAuthenticationProvider in ZooKeeper Admin Server there
| is a possibility of Authentication Bypass by Spoofing -- this only
| impacts IP based authentication implemented in ZooKeeper Admin
| Server. Default configuration of client's IP address detection
| in IPAuthenticationProvider, which uses HTTP request headers, is
| weak and allows an attacker to bypass authentication via spoofing
| client's IP address in request headers. Default configuration honors
| X-Forwarded-For HTTP header to read client's IP address.
| X-Forwarded-For request header is mainly used by proxy servers to
| identify the client and can be easily spoofed by an attacker
| pretending that the request comes from a different IP address. Admin
| Server commands, such as snapshot and restore arbitrarily can be
| executed on successful exploitation which could potentially lead to
| information leakage or service availability issues. Users are
| recommended to upgrade to version 3.9.3, which fixes this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-51504
https://www.cve.org/CVERecord?id=CVE-2024-51504
[1] https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh
[2] https://issues.apache.org/jira/browse/ZOOKEEPER-4851
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zookeeper
Source-Version: 3.9.3-1
Done: Pierre Gruet <p...@debian.org>
We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1087...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Gruet <p...@debian.org> (supplier of updated zookeeper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Nov 2024 17:43:34 +0100
Source: zookeeper
Architecture: source
Version: 3.9.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Pierre Gruet <p...@debian.org>
Closes: 1080846 1087275
Changes:
zookeeper (3.9.3-1) unstable; urgency=medium
.
* Team upload
* New upstream version 3.9.3:
- Fixes CVE-2024-51504 (Closes: #1087275)
* Refreshing patches
* Adding Build-Depends on python3-setuptools (Closes: #1080846)
* Updating the path to the built javadoc for installation in the -doc package
* Adding a patch for the Debian-package version of netty
* Updating the list of tests to skip for network reasons
Checksums-Sha1:
04568fe64b23656b402d5cada7ee1fa1ca05acc8 3767 zookeeper_3.9.3-1.dsc
f39280c8cbe58075a84ec4b693d6c1916ae80aab 4690314 zookeeper_3.9.3.orig.tar.gz
dc4553bbb63c4c280307660b396db08027963789 858 zookeeper_3.9.3.orig.tar.gz.asc
5bc0daf53022c8f29b935fb44b74bdcb0ac9f5a2 90840 zookeeper_3.9.3-1.debian.tar.xz
7e7269f6e97f2e981b63cad23c37644e82231519 18193
zookeeper_3.9.3-1_source.buildinfo
Checksums-Sha256:
4b98326fed10c97047d9d6295b9075f236a683ee347f6d798bb1ef906e7a4b3c 3767
zookeeper_3.9.3-1.dsc
8bf0b9f872b3c0a6e64f8bc55ffb44cbff6e2712f6467ee5164ca6847466b31b 4690314
zookeeper_3.9.3.orig.tar.gz
7fddae55e877c609fe84e781fd3cebf792de124b9c5de5e76d99d3b1eda504b4 858
zookeeper_3.9.3.orig.tar.gz.asc
0c83b49d84c325c16d07bd7f81fb1910dc69e04e410fbe3601098f436433eb2b 90840
zookeeper_3.9.3-1.debian.tar.xz
bcd7f02483d92a470437cb8c742fab9add5d01ca8fa62fe6903c7d2548dcd481 18193
zookeeper_3.9.3-1_source.buildinfo
Files:
ae8f83d7d78eb041f71d8fb1c0454e53 3767 java optional zookeeper_3.9.3-1.dsc
09b9ddeeff2a48bc5a2b227bcae35677 4690314 java optional
zookeeper_3.9.3.orig.tar.gz
e9abb61b2ec88bcfb17acee103f9a2e6 858 java optional
zookeeper_3.9.3.orig.tar.gz.asc
15be0864ca1931a23b29f93744a51efe 90840 java optional
zookeeper_3.9.3-1.debian.tar.xz
824dc07e73de4f2112fe9a12134f453d 18193 java optional
zookeeper_3.9.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmczhjgACgkQYAMWptwn
dHZFvA//fwuLCgU5x3Y6CyVEQVG55pRnnk/LenkPdqSitoaeJHrhjjf/8DnZPuli
OcFujpDYfjq2qSCCs69IkaMBwq+1Q+5DavY+vM1FOBcSoY25Gr0USGcjz1p8GBKt
7k3KolY3QWCieN/XULgg7kCVckewhtYlDKtws8qllapmVMpzG1lvIn7ROQxxDre3
UCpXNyi0BMf+jud2skZkdTldF+uEVCU7FSFdsK7gAspuRMlSeJK3c5wxfZUVeGuS
WZabyaykesKdiCag4UAgAAzWP6j9uPDdY4Nr58X+9tcBMNypiiOl2ruLBmyfBspf
R552ELGfKPmp3WDMMpNR4B2vvreEi0ZgvbmUU0iUMJi1hgCsT9TJL1Po6baYHNmO
Mlvm4FpTC1wl19calJnaSrKHKenCUrZ3NJgnbZYRuf6mWBSXdRHxeQMB+sI2/wtn
hJ3GligM+QIQEUE3nOPzTpbTT0G5VJfvU8uX7H3soQY0b49+sEj0HJBePFCXkmGv
UZwPLG/xqElByfQu1L3gL7/j2o4LCRKV78QJmbwBcRtSTjs9ANXIllTPnQCmcgbG
ON5z5vHjeHPavjTF7hmp10jwk/xjPs3kwlH2CEQay47LYGQjdzLUa2u9KrdfNMMd
ZLdVl2bnXFqj5y95xhQCv8gyaeEzeM2HMlHMB66lfeqUfskZm7s=
=chWr
-----END PGP SIGNATURE-----
pgpZZgHkQTbXX.pgp
Description: PGP signature
--- End Message ---
