Hi Andor, Li,
> […] add it to the master branch.
>
> Damien, would you please take care of that?
Yes, I will do so.
>> We are in 3.7.2 and may need to patch it ourselves.
>>
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c
Indeed. There was even a release candidate for 3.7.3, which is to be
abandoned. (But see attached email in case it helps.)
Cheers, -D
Andor Molnar <an...@apache.org> writes:
> Hi Li,
>
> That's the right ticket.
>
> I've just updated the Jira ticket with the links to the commits.
> There's no PR since it was a security fix, but looks like we forgot to
> add it to the master branch.
>
> Damien, would you please take care of that?
>
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c
>
> Regards,
> Andor
>
>
>
> On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote:
>> Thanks, Andor.
>>
>> Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
>> JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status
>> is
>> still OPEN and there is no PR link there.
>>
>> https://issues.apache.org/jira/browse/ZOOKEEPER-4799
>>
>> We are in 3.7.2 and may need to patch it ourselves.
>>
>> Best,
>>
>> Li
>>
>>
>>
>> On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org>
>> wrote:
>>
>> > Severity: critical
>> >
>> > Affected versions:
>> >
>> > - Apache ZooKeeper 3.9.0 through 3.9.1
>> > - Apache ZooKeeper 3.8.0 through 3.8.3
>> > - Apache ZooKeeper 3.6.0 through 3.7.2
>> >
>> > Description:
>> >
>> > Information disclosure in persistent watchers handling in Apache
>> > ZooKeeper
>> > due to missing ACL check. It allows an attacker to monitor child
>> > znodes by
>> > attaching a persistent watcher (addWatch command) to a parent which
>> > the
>> > attacker has already access to. ZooKeeper server doesn't do ACL
>> > check when
>> > the persistent watcher is triggered and as a consequence, the full
>> > path of
>> > znodes that a watch event gets triggered upon is exposed to the
>> > owner of
>> > the watcher. It's important to note that only the path is exposed
>> > by this
>> > vulnerability, not the data of znode, but since znode path can
>> > contain
>> > sensitive information like user name or login ID, this issue is
>> > potentially
>> > critical.
>> >
>> > Users are recommended to upgrade to version 3.9.2, 3.8.4 which
>> > fixes the
>> > issue.
>> >
>> > Credit:
>> >
>> > 周吉安(寒泉) <zhoujian....@alibaba-inc.com> (reporter)
>> >
>> > References:
>> >
>> > https://zookeeper.apache.org/
>> > https://www.cve.org/CVERecord?id=CVE-2024-23944
>> >
>> >
--- Begin Message ---
Greetings, all!
This is a release candidate for 3.7.3.
This is a bugfix release for the (EOL) 3.7 release line. It includes a
last batch of important dependency upgrades to address CVEs. Note that
we don't expect to provide further updates: users should upgrade to 3.8.
The full release notes is available at:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12353692
*** Please download, test and vote by February 16th 2024, 23:59 UTC+0. ***
Source files:
https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.3-candidate-0/
Maven staging repo:
https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.7.3/
The release candidate tag in git to be voted upon: release-3.7.3-0
https://github.com/apache/zookeeper/releases/tag/release-3.7.3-0
ZooKeeper's KEYS file containing PGP keys we use to sign the release:
https://www.apache.org/dist/zookeeper/KEYS
The staging version of the website is:
https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.3-candidate-0/website/index.html
Should we release this candidate?
Regards,
Damien Diederen
--- End Message ---
