Your message dated Sat, 04 Nov 2023 12:49:14 +0000 with message-id <e1qzg5s-001ify...@fasolo.debian.org> and subject line Bug#1054224: fixed in zookeeper 3.4.13-6+deb11u1 has caused the Debian Bug report #1054224, regarding zookeeper: CVE-2023-44981 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054224 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: zookeeper Version: 3.8.0-11 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.4.13-6 Hi, The following vulnerability was published for zookeeper. CVE-2023-44981[0]: | Authorization Bypass Through User-Controlled Key vulnerability in | Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in | ZooKeeper (quorum.auth.enableSasl=true), the authorization is done | by verifying that the instance part in SASL authentication ID is | listed in zoo.cfg server list. The instance part in SASL auth ID is | optional and if it's missing, like 'e...@example.com', the | authorization check will be skipped. As a result an arbitrary | endpoint could join the cluster and begin propagating counterfeit | changes to the leader, essentially giving it complete read-write | access to the data tree. Quorum Peer authentication is not enabled | by default. Users are recommended to upgrade to version 3.9.1, | 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the | ensemble election/quorum communication is protected by a firewall as | this will mitigate the issue. See the documentation for more | details on correct cluster administration. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44981 https://www.cve.org/CVERecord?id=CVE-2023-44981 [1] https://www.openwall.com/lists/oss-security/2023/10/11/4 [2] https://github.com/apache/zookeeper/commit/96b3172ca249a8580e9a315d589d319286cee4ee Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: zookeeper Source-Version: 3.4.13-6+deb11u1 Done: Pierre Gruet <p...@debian.org> We believe that the bug you reported is fixed in the latest version of zookeeper, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pierre Gruet <p...@debian.org> (supplier of updated zookeeper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 28 Oct 2023 23:16:44 +0200 Source: zookeeper Architecture: source Version: 3.4.13-6+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Pierre Gruet <p...@debian.org> Closes: 1054224 Changes: zookeeper (3.4.13-6+deb11u1) bullseye-security; urgency=medium . * Team upload: - CVE-2023-44981: Prevent a potential authorisation bypass vulnerability. If SASL Quorum Peer authentication was enabled (via quorum.auth.enableSasl), authorisation was performed by verifying that the instance part in the SASL authentication ID was listed in the zoo.cfg server list. However, this value is optional, and, if missing (such as in 'e...@example.com'), the authorisation check will be skipped. As a result, an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. (Closes: #1054224) Checksums-Sha1: cd54ff6306b6f2053cfb4020a9159d1aa1624059 3041 zookeeper_3.4.13-6+deb11u1.dsc 8d1fed2574e8645060154fcffdf7918ea5858377 1970528 zookeeper_3.4.13.orig.tar.xz b650c655fd9b27811042e89fd48816a5fe08272d 63300 zookeeper_3.4.13-6+deb11u1.debian.tar.xz fdebce856845a509f7097da27586d02a58cecffe 19074 zookeeper_3.4.13-6+deb11u1_amd64.buildinfo Checksums-Sha256: 4c871960c79a09b9bbee6ef720deefb83a6be56414e23c5f77e18edadee04529 3041 zookeeper_3.4.13-6+deb11u1.dsc 4f303a575a3e981d5ef8fe43a4fec157f320841a502eff96ae7cda902c278d2f 1970528 zookeeper_3.4.13.orig.tar.xz ea9f1710fce0a0f9913d0fb814d096d8805dab70fece5b087893be2a5c11e94e 63300 zookeeper_3.4.13-6+deb11u1.debian.tar.xz 83b9c92db65d92eab232871e6189c971264765d304120d1c6efd9a8a3be341ae 19074 zookeeper_3.4.13-6+deb11u1_amd64.buildinfo Files: 4aea6814b61fd728b90990f2d86467b1 3041 java optional zookeeper_3.4.13-6+deb11u1.dsc a9fc5be7cbdeef5fb41bb87d58ce41bd 1970528 java optional zookeeper_3.4.13.orig.tar.xz 0304ab044c5a96385ea1544f4d2ffabc 63300 java optional zookeeper_3.4.13-6+deb11u1.debian.tar.xz 6b7810d9a65d8bd8d8ff367fe53bdff7 19074 java optional zookeeper_3.4.13-6+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmU/tiYACgkQYAMWptwn dHbFpxAAqjdkZM/UnHXcJ1heimeWZmGVBx1eJGAB2tec7aLsL3YWmP99sQuD18LN FgaEIOj+54LaFxLyPAup0paCGoDH4kAXEYWWtyjaSX/+oCvOq8UCB0XxBaExs3q1 B0g5KMi2pL4WiK/WKee62PSRGSEVFiYDkuAqIElVK+19EwUotDxHDVZUU2bjNpsi lkj6vGWU+5Whosk2JaIr6ixejMKBHDA6bYA++xnpO0SQuAekaWyqMXyAnkPJvOiw octHwUgltAgBL0x6mwSsoa6J+09AxEY8MoDDUzegloDJ067a2dAOVK6N0JSQ0WHL EhM2RjlaqczVs01EACToyHp/G5OdKuwErbkCHI/xSxMqJgVcnmj9S93fKsHoKcoO aqJeDgTfRtFAx5c477vVzGBtIe87wFq6RWbs7pNM1vY+V7rbYMPkpvcOHfmkEDra gjJ7Uc7McpUv3s6WdVdrh0uINiVH1RcZNhyZajyjw2lP4qCXU9ohXBtQXEpRklkq RyZ/mozw1KpfXCROlrctf3pAeogIOt+dAtX7FqTVE8y//yJiDOe1lIzk+Lw4B6lm sBKGuraMR4roCVXpfAVwj3E1tnHmtjjnDBRLgMG0pRo4YbmNGCMckQIbik20dyR5 WXNIMsTNnEFaVgyAFPY3J5yYMiihMho50f5VLp5kSOaDLBgUqus= =CYax -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
