Source: zookeeper Version: 3.9.3-2 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/ZOOKEEPER-4964 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 3.9.3-1
Hi, The following vulnerability was published for zookeeper. CVE-2025-58457[0]: | Improper permission check in ZooKeeper AdminServer lets authorized | clients to run snapshot and restore command with insufficient | permissions. This issue affects Apache ZooKeeper: from 3.9.0 before | 3.9.4. Users are recommended to upgrade to version 3.9.4, which | fixes the issue. The issue can be mitigated by disabling both | commands (via admin.snapshot.enabled and admin.restore.enabled), | disabling the whole AdminServer interface (via admin.enableServer), | or ensuring that the root ACL does not provide open permissions. | (Note that ZooKeeper ACLs are not recursive, so this does not impact | operations on child nodes besides notifications from recursive | watches.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-58457 https://www.cve.org/CVERecord?id=CVE-2025-58457 [1] https://issues.apache.org/jira/browse/ZOOKEEPER-4964 [2] https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
