Bug#990345: zookeeper: various security issues

2022-01-28 Thread Christoph Anton Mitterer
Further for the records (for a future upgrade to newer ZK versions): There will likely need to be a NEWS.Debian entry about the following: https://issues.apache.org/jira/browse/ZOOKEEPER-3056 In short: - apparently they've added a check that prevents ZK from starting, when no snapshots were fou

Bug#990345: zookeeper: various security issues

2021-07-17 Thread tony mancill
On Fri, Jul 16, 2021 at 06:43:53AM +0200, Christoph Anton Mitterer wrote: > On Thu, 2021-07-15 at 21:18 -0700, tony mancill wrote: > > This is certainly a valid point.  There is not time to change the > > situation for bullseye aside from filing an RM bug to prevent the > > package from shipping wi

Bug#990345: zookeeper: various security issues

2021-07-15 Thread Christoph Anton Mitterer
On Thu, 2021-07-15 at 21:18 -0700, tony mancill wrote: > The Debian package disables building against Netty via this patch: > https://salsa.debian.org/java-team/zookeeper/-/blob/master/debian/patches/13-disable-netty-connection-factory.patch Ah I see. > This is certainly a valid point.  There i

Bug#990345: zookeeper: various security issues

2021-07-15 Thread tony mancill
On Sun, Jun 27, 2021 at 03:12:35PM +0200, Christoph Anton Mitterer wrote: > On Sun, 2021-06-27 at 14:46 +0200, Salvatore Bonaccorso wrote: > > To me this looks like CVEs in other products, but which zookeeper > > uses > > as dependency? Is this correct? > > Indeed, but I couldn't find that the zoo

Bug#990345: zookeeper: various security issues

2021-06-27 Thread Christoph Anton Mitterer
Hey. On Sun, 2021-06-27 at 14:46 +0200, Salvatore Bonaccorso wrote: > To me this looks like CVEs in other products, but which zookeeper > uses > as dependency? Is this correct? Indeed, but I couldn't find that the zookeeper package depends on these while it does contain: zookeeper-3.4.13/src$ fin

Bug#990345: zookeeper: various security issues

2021-06-27 Thread Salvatore Bonaccorso
[Disclaimer, not the package maintainer, but quickly checked your report for tracking within the security team] On Sat, Jun 26, 2021 at 01:50:44PM +0200, Christoph Anton Mitterer wrote: > Source: zookeeper > Version: 3.4.13-6 > Severity: grave > Tags: security > Justification: user security hole >

Bug#990345: zookeeper: various security issues

2021-06-26 Thread Christoph Anton Mitterer
Source: zookeeper Version: 3.4.13-6 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team Hi. The release notes for https://zookeeper.apache.org/doc/r3.6.3/releasenotes.html list various security issues: CVE-2020-25649 CVE-2021-21295 CVE-2021-28165