Package: src:librdkafka Version: 1.3.0-1 Severity: important Tags: patch security upstream
Dear maintainers, Upstream for librdkafka has recently released version 1.4.0 of the library[1]. [1] https://github.com/edenhill/librdkafka/releases/tag/v1.4.0 The release notes mention that two security issues[2,3] in the way SASL/SCRAM authentication was implemented. SASL/SCRAM was introduced in v0.11.0, and the offending code was introduced at that point[4], so the security bug affects the version in stable as well. [2] https://github.com/edenhill/librdkafka/commit/9b468d2fafbdc23f2326e174a6bd92e70457ce6d [3] https://github.com/edenhill/librdkafka/commit/8f7a4c858afc8ff24672426473448c3e0c56cfc3 [4] https://github.com/edenhill/librdkafka/blob/v0.11.0/src/rdkafka_sasl_scram.c lines 91 (nonce bug) and 340-341 (buffer overflow) I guess these patches could be uploaded as a stable update (but I haven't looked at older security fixes if some more would be relevant). I've prepared the update for sid[5] and I can upload it if you'd like (I'm currently using a package of a git checkout of a pre-1.4.0 commit in production, and will update to 1.4.0 there anyway). [5] https://salsa.debian.org/olasd/librdkafka branches debian/sid and pristine-tar Thanks for your work! Nicolas -- System Information: Debian Release: bullseye/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
