1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • bookworm-pu: package zookeeper/3.8.0-11+deb12u2 (1/2)

    From Bastien =?ISO-8859-1?Q?Roucari=E8s?@21:1/5 to Debian Bug Tracking System on Fri Apr 12 22:17:46 2024
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart2247054.GVYjl3dcFh
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="UTF-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: zookeeper@packages.debian.org
    Control: affects -1 + src:zookeeper
    User: release.debian.org@packages.debian.org
    Usertags: pu


    [ Reason ]
    CVE-2024-23944 (Closes: #1066947):
    An information disclosure in persistent watchers handling was found in
    Apache ZooKeeper due to missing ACL check. It allows an attacker to
    monitor child znodes by attaching a persistent watcher (addWatch
    command) to a parent which the attacker has already access
    to. ZooKeeper server doesn't do ACL check when the persistent watcher
    is triggered and as a consequence, the full path of znodes that a
    watch event gets triggered upon is exposed to the owner of the
    watcher. It's important to note that only the path is exposed by this
    vulnerability, not the data of znode, but since znode path can contain
    sensitive information like user name or login ID, this issue is
    potentially critical.

    [ Impact ]
    CVE-2024-23944 is not fixed

    [ Tests ]
    Full upstream testsuite run at build time

    [ Risks ]
    None know

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    See debdiff

    --nextPart2247054.GVYjl3dcFh
    Content-Disposition: attachment; filename="debdiff.diff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="x-UTF_8J"; name="debdiff.diff"

    diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog
    --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.000000000 +0000
    +++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.000000000 +0000
    @@ -1,3 +1,22 @@
    +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium
    +
    + * Team upload
    + * Bug fix: CVE-2024-23944 (Closes: #1066947):
    + An information disclosure in persistent watchers handling was found in
    + Apache ZooKeeper due to missing ACL check. It allows an attacker to
    + monitor child znodes by attaching a persistent watcher (addWatch
    + command) to a parent which the attacker has already access
    + to. ZooKeeper server doesn't do ACL check when the persistent watcher
    + is triggered and as a consequence, the full path of znodes that a
    + watch event gets triggered upon is exposed to the owner of the
    + watcher. It's important to note that only the path is exposed by this
    + vulnerability, not the data of znode, but since znode path can contain
    + sensitive information like user name or login ID, this issu