Hi Andor, Li,

> […] add it to the master branch.
>
> Damien, would you please take care of that?

Yes, I will do so.

>> We are in 3.7.2 and may need to patch it ourselves.
>> 
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c

Indeed.  There was even a release candidate for 3.7.3, which is to be
abandoned.  (But see attached email in case it helps.)

Cheers, -D






Andor Molnar <an...@apache.org> writes:
> Hi Li,
>
> That's the right ticket.
>
> I've just updated the Jira ticket with the links to the commits.
> There's no PR since it was a security fix, but looks like we forgot to
> add it to the master branch.
>
> Damien, would you please take care of that?
>
> Btw, we don't plan to fix it in the 3.7 release line, but the patch is
> already on the branch for your convenience:
> 29c7b9462681f47c2ac12e609341cf9f52abac5c
>
> Regards,
> Andor
>
>
>
> On Thu, 2024-03-14 at 12:58 -0700, Li Wang wrote:
>> Thanks, Andor.
>> 
>> Do you have the PR link for the fix in 3.9.2 and 3.8.4? There is a
>> JIRA ticket in the release notes of 3.9.2 and 3.8.4, but the status
>> is
>> still OPEN and there is no PR link there.
>> 
>> https://issues.apache.org/jira/browse/ZOOKEEPER-4799
>> 
>> We are in 3.7.2 and may need to patch it ourselves.
>> 
>> Best,
>> 
>> Li
>> 
>> 
>> 
>> On Thu, Mar 14, 2024 at 8:52 AM Andor Molnar <an...@apache.org>
>> wrote:
>> 
>> > Severity: critical
>> > 
>> > Affected versions:
>> > 
>> > - Apache ZooKeeper 3.9.0 through 3.9.1
>> > - Apache ZooKeeper 3.8.0 through 3.8.3
>> > - Apache ZooKeeper 3.6.0 through 3.7.2
>> > 
>> > Description:
>> > 
>> > Information disclosure in persistent watchers handling in Apache
>> > ZooKeeper
>> > due to missing ACL check. It allows an attacker to monitor child
>> > znodes by
>> > attaching a persistent watcher (addWatch command) to a parent which
>> > the
>> > attacker has already access to. ZooKeeper server doesn't do ACL
>> > check when
>> > the persistent watcher is triggered and as a consequence, the full
>> > path of
>> > znodes that a watch event gets triggered upon is exposed to the
>> > owner of
>> > the watcher. It's important to note that only the path is exposed
>> > by this
>> > vulnerability, not the data of znode, but since znode path can
>> > contain
>> > sensitive information like user name or login ID, this issue is
>> > potentially
>> > critical.
>> > 
>> > Users are recommended to upgrade to version 3.9.2, 3.8.4 which
>> > fixes the
>> > issue.
>> > 
>> > Credit:
>> > 
>> > 周吉安(寒泉) <zhoujian....@alibaba-inc.com> (reporter)
>> > 
>> > References:
>> > 
>> > https://zookeeper.apache.org/
>> > https://www.cve.org/CVERecord?id=CVE-2024-23944
>> > 
>> > 

--- Begin Message ---
Greetings, all!


This is a release candidate for 3.7.3.

This is a bugfix release for the (EOL) 3.7 release line.  It includes a
last batch of important dependency upgrades to address CVEs.  Note that
we don't expect to provide further updates: users should upgrade to 3.8.


The full release notes is available at:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801&version=12353692

*** Please download, test and vote by February 16th 2024, 23:59 UTC+0. ***

Source files:
https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.3-candidate-0/

Maven staging repo:
https://repository.apache.org/content/groups/staging/org/apache/zookeeper/zookeeper/3.7.3/

The release candidate tag in git to be voted upon: release-3.7.3-0
https://github.com/apache/zookeeper/releases/tag/release-3.7.3-0

ZooKeeper's KEYS file containing PGP keys we use to sign the release:
https://www.apache.org/dist/zookeeper/KEYS

The staging version of the website is:
https://dist.apache.org/repos/dist/dev/zookeeper/zookeeper-3.7.3-candidate-0/website/index.html


Should we release this candidate?


Regards,
Damien Diederen

--- End Message ---

Reply via email to