XPost: linux.debian.devel.release
This is a multi-part message in MIME format.
--nextPart2247054.GVYjl3dcFh
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="UTF-8"
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc:
zookeeper@packages.debian.org
Control: affects -1 + src:zookeeper
User:
release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-23944 (Closes: #1066947):
An information disclosure in persistent watchers handling was found in
Apache ZooKeeper due to missing ACL check. It allows an attacker to
monitor child znodes by attaching a persistent watcher (addWatch
command) to a parent which the attacker has already access
to. ZooKeeper server doesn't do ACL check when the persistent watcher
is triggered and as a consequence, the full path of znodes that a
watch event gets triggered upon is exposed to the owner of the
watcher. It's important to note that only the path is exposed by this
vulnerability, not the data of znode, but since znode path can contain
sensitive information like user name or login ID, this issue is
potentially critical.
[ Impact ]
CVE-2024-23944 is not fixed
[ Tests ]
Full upstream testsuite run at build time
[ Risks ]
None know
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
See debdiff
--nextPart2247054.GVYjl3dcFh
Content-Disposition: attachment; filename="debdiff.diff" Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; charset="x-UTF_8J"; name="debdiff.diff"
diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog
--- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.000000000 +0000
+++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.000000000 +0000
@@ -1,3 +1,22 @@
+zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium
+
+ * Team upload
+ * Bug fix: CVE-2024-23944 (Closes: #1066947):
+ An information disclosure in persistent watchers handling was found in
+ Apache ZooKeeper due to missing ACL check. It allows an attacker to
+ monitor child znodes by attaching a persistent watcher (addWatch
+ command) to a parent which the attacker has already access
+ to. ZooKeeper server doesn't do ACL check when the persistent watcher
+ is triggered and as a consequence, the full path of znodes that a
+ watch event gets triggered upon is exposed to the owner of the
+ watcher. It's important to note that only the path is exposed by this
+ vulnerability, not the data of znode, but since znode path can contain
+ sensitive information like user name or login ID, this issu