Hey. On Sun, 2021-06-27 at 14:46 +0200, Salvatore Bonaccorso wrote: > To me this looks like CVEs in other products, but which zookeeper > uses > as dependency? Is this correct?
Indeed, but I couldn't find that the zookeeper package depends on these while it does contain: zookeeper-3.4.13/src$ find . -iname "*nett*" ./java/main/org/apache/zookeeper/server/NettyServerCnxnFactory.java ./java/main/org/apache/zookeeper/server/NettyServerCnxn.java ./java/test/org/apache/zookeeper/server/NettyServerCnxnTest.java ./java/test/org/apache/zookeeper/test/NioNettySuiteTest.java ./java/test/org/apache/zookeeper/test/NioNettySuiteHammerTest.java ./java/test/org/apache/zookeeper/test/NioNettySuiteBase.java ... so I figured these might still be affected? And apart from that... if they apparently don't support older versions anymore, we'd like not even notice should these contain any security issues. Cheers, Chris. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.