Your message dated Sat, 28 Oct 2023 18:51:58 +0000 with message-id <e1qwope-000ol1...@fasolo.debian.org> and subject line Bug#1054224: fixed in zookeeper 3.9.1-1 has caused the Debian Bug report #1054224, regarding zookeeper: CVE-2023-44981 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054224 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: zookeeper Version: 3.8.0-11 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.4.13-6 Hi, The following vulnerability was published for zookeeper. CVE-2023-44981[0]: | Authorization Bypass Through User-Controlled Key vulnerability in | Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in | ZooKeeper (quorum.auth.enableSasl=true), the authorization is done | by verifying that the instance part in SASL authentication ID is | listed in zoo.cfg server list. The instance part in SASL auth ID is | optional and if it's missing, like 'e...@example.com', the | authorization check will be skipped. As a result an arbitrary | endpoint could join the cluster and begin propagating counterfeit | changes to the leader, essentially giving it complete read-write | access to the data tree. Quorum Peer authentication is not enabled | by default. Users are recommended to upgrade to version 3.9.1, | 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the | ensemble election/quorum communication is protected by a firewall as | this will mitigate the issue. See the documentation for more | details on correct cluster administration. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44981 https://www.cve.org/CVERecord?id=CVE-2023-44981 [1] https://www.openwall.com/lists/oss-security/2023/10/11/4 [2] https://github.com/apache/zookeeper/commit/96b3172ca249a8580e9a315d589d319286cee4ee Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: zookeeper Source-Version: 3.9.1-1 Done: Pierre Gruet <p...@debian.org> We believe that the bug you reported is fixed in the latest version of zookeeper, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pierre Gruet <p...@debian.org> (supplier of updated zookeeper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 28 Oct 2023 19:07:58 +0200 Source: zookeeper Architecture: source Version: 3.9.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Pierre Gruet <p...@debian.org> Closes: 1054224 Changes: zookeeper (3.9.1-1) unstable; urgency=medium . * Team upload * New upstream version 3.9.1 (Closes: #1054224) Fixes CVE-2023-44981 * Refreshing patches * Updating Maven rules and ignoreRules * Correcting/excluding more tests, adding them to existing patches * Omitting tests needing unpackaged org.burningwave Checksums-Sha1: 1a941a3a394a9c31abee837f05c190c1cc397f1d 3763 zookeeper_3.9.1-1.dsc a8e0a538d534f5188c51d4268f808a7078bfc1d6 4652392 zookeeper_3.9.1.orig.tar.gz 518754efdc4231529b219cbaa75103cb8d2aa574 858 zookeeper_3.9.1.orig.tar.gz.asc 9d90d2818352dd5a6406f055a5861578b1740fb8 89832 zookeeper_3.9.1-1.debian.tar.xz adaf485cd1a14593ea0da856b3173c05bba61c13 23978 zookeeper_3.9.1-1_amd64.buildinfo Checksums-Sha256: 480071e47b33ee4c66ae51d081b50b8dd462d27be1f8c2f6662286cc20648d66 3763 zookeeper_3.9.1-1.dsc 918f0fcf4ca8c53c2cccb97237ea72d2ccba978233ca85eff08f8ba077a8dadf 4652392 zookeeper_3.9.1.orig.tar.gz 2789c8fa6ec08d842b9ef3a375094f8a03030aa27c5d8eeb682a6c8d45771ed5 858 zookeeper_3.9.1.orig.tar.gz.asc db12eb24a2d4bc6900faa2b6c695fa3fa36167ab580e246661096eb1cd22834c 89832 zookeeper_3.9.1-1.debian.tar.xz 88116c6d22588fc7c076bfafde49cba909591c3a4c507242d16ccbbd7eb5604a 23978 zookeeper_3.9.1-1_amd64.buildinfo Files: d99d2f6d7812fd72667841d2bfa822e4 3763 java optional zookeeper_3.9.1-1.dsc 26e537e2929cdaa40d681f77c449a28f 4652392 java optional zookeeper_3.9.1.orig.tar.gz 728839eb3584a95069be0d52dffa71a6 858 java optional zookeeper_3.9.1.orig.tar.gz.asc 7ba41e5e25b9c628441ce3ff387b9a6e 89832 java optional zookeeper_3.9.1-1.debian.tar.xz 23bccc73d7100f9872fe2c339787661f 23978 java optional zookeeper_3.9.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmU9U64ACgkQYAMWptwn dHZwLA//VJ2ITwhMw/Sfmg1tF8t/3W8ymlyDhPhEquxnJ11v003mFT4wnqyE9hMU GxOHqep6KborOydkS11VT8K2AEGpBLx5hFKuejmmHh3gUPbK3SV0MRfCTCIwKGVh 2q5BkIZnS7rbhIUAazMaw1g+Pv+2fnA89P33zBW18juahhVHuhO1tPJQO2Iuvraa jkzTW5ym4AeZ8tWoWmLzBCAaqNGhigP0Bvmn/DDJ/4MML1LNVtpph0xCNKP+kapG 0tI78Q9jA+el8olN9lk4r2Ihjs3j29SZherHpQhu1BToUgNOuFe4ketU9GgiCZzx lVWMbZPpJZQhyFPU8VWBgf5xc/9W/5btCqA4cJPY2YCfFvJxgQ9IK/71+URKrHgf dfEDEY9GCG7yiUchNDL8XbJUaP/DlqjWCTuHVfDoWGE7gUa8aS8IAmRlUX7lgSVB 9lqUy9+wqcil28CkHDIlm0qbqmNH3J+o6dJOWK29J1PGChDPTRapbWiorgpRerld sgsr0VN8DaKRzBKE7Vh894hsnrWI6C+S0wufxXejf4LeCEYD0e4nVWA7Mlh1dohc TGKT9/B/XQ1z839IJFLOfQuFn4w/d9oKYdagbQ/APKEQwkmd5Y5qwXSqKhf1AyBb pYPtGT8v9NxKtLWOOQ9udW0aDZ+6Av3/WC2hhg5t5gPr0Bx6Yxc= =r+xU -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
