Your message dated Sat, 04 Nov 2023 12:47:39 +0000 with message-id <e1qzg3v-001ian...@fasolo.debian.org> and subject line Bug#1054224: fixed in zookeeper 3.8.0-11+deb12u1 has caused the Debian Bug report #1054224, regarding zookeeper: CVE-2023-44981 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054224: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054224 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: zookeeper Version: 3.8.0-11 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.4.13-6 Hi, The following vulnerability was published for zookeeper. CVE-2023-44981[0]: | Authorization Bypass Through User-Controlled Key vulnerability in | Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in | ZooKeeper (quorum.auth.enableSasl=true), the authorization is done | by verifying that the instance part in SASL authentication ID is | listed in zoo.cfg server list. The instance part in SASL auth ID is | optional and if it's missing, like 'e...@example.com', the | authorization check will be skipped. As a result an arbitrary | endpoint could join the cluster and begin propagating counterfeit | changes to the leader, essentially giving it complete read-write | access to the data tree. Quorum Peer authentication is not enabled | by default. Users are recommended to upgrade to version 3.9.1, | 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the | ensemble election/quorum communication is protected by a firewall as | this will mitigate the issue. See the documentation for more | details on correct cluster administration. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44981 https://www.cve.org/CVERecord?id=CVE-2023-44981 [1] https://www.openwall.com/lists/oss-security/2023/10/11/4 [2] https://github.com/apache/zookeeper/commit/96b3172ca249a8580e9a315d589d319286cee4ee Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: zookeeper Source-Version: 3.8.0-11+deb12u1 Done: Pierre Gruet <p...@debian.org> We believe that the bug you reported is fixed in the latest version of zookeeper, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pierre Gruet <p...@debian.org> (supplier of updated zookeeper package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 29 Oct 2023 08:57:11 +0100 Source: zookeeper Architecture: source Version: 3.8.0-11+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Pierre Gruet <p...@debian.org> Closes: 1054224 Changes: zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium . * Team upload: - CVE-2023-44981: Prevent a potential authorisation bypass vulnerability. If SASL Quorum Peer authentication was enabled (via quorum.auth.enableSasl), authorisation was performed by verifying that the instance part in the SASL authentication ID was listed in the zoo.cfg server list. However, this value is optional, and, if missing (such as in 'e...@example.com'), the authorisation check will be skipped. As a result, an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. (Closes: #1054224) Checksums-Sha1: 7fd7e9ee04fbcd149950e1b23f42547153db2593 3799 zookeeper_3.8.0-11+deb12u1.dsc c6556b6e4237f78955e3d8cd313d0ef04ed1b7e9 3485515 zookeeper_3.8.0.orig.tar.gz c2622953992c4495ac935662243a60c4e40d8828 488 zookeeper_3.8.0.orig.tar.gz.asc 3376643eaea0466e1962182574b9e5ac4fbb93e6 92236 zookeeper_3.8.0-11+deb12u1.debian.tar.xz 95289d007c7d7cb8c6bdfde75cf05042b5d903f8 24524 zookeeper_3.8.0-11+deb12u1_amd64.buildinfo Checksums-Sha256: bf8164ee16a6ddad74de4fb04ef280236b71d0c95c17e1d30ea4c33054f171d2 3799 zookeeper_3.8.0-11+deb12u1.dsc b0c5684640bea2d8bd6610b47ff41be2aefd6c910ba48fcad5949bd2bf2fa1ac 3485515 zookeeper_3.8.0.orig.tar.gz 22bd6c0fe38b3184cb2b7d5039392f7a63a506915b27a58328f1b4f9731ebfc3 488 zookeeper_3.8.0.orig.tar.gz.asc 616bb05b56538833276bff33a3275938296a370dce9d8ab4850b89db1becd81e 92236 zookeeper_3.8.0-11+deb12u1.debian.tar.xz 494a97f717c50f758545453a2e5bbe7decc89f76ca793607a3bb9e1034e5edca 24524 zookeeper_3.8.0-11+deb12u1_amd64.buildinfo Files: 39bf8be6919f1c569213692db6891f4c 3799 java optional zookeeper_3.8.0-11+deb12u1.dsc dd50b329f3e17c03d2da8ed8497babb6 3485515 java optional zookeeper_3.8.0.orig.tar.gz 0309b972507b7ef0f1851660618d090e 488 java optional zookeeper_3.8.0.orig.tar.gz.asc 771e480f58cecf0e4667496a356d13b7 92236 java optional zookeeper_3.8.0-11+deb12u1.debian.tar.xz c1dc8b2ac51d557b5d687a1c7e3d23d1 24524 java optional zookeeper_3.8.0-11+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmU/tjUACgkQYAMWptwn dHYrog/+O9u3ewUYJ6teyhRw2Niq/fdRlpmTGWpMmwYEMm2aWEVVFXjfx7hta7jv aYc625o47UrRXDzNdxiiOJbzG8R2XGfk2YrDF2Zmr/OrmHL8xFuHwTd2zwM1DEuP hsgnU3Uz57TUA/r/AIgTK8FraW7Tm/2+KQkzcYh5LFRG01bKd9nO4NBLB+7KosMa ECluXB5IofVlXdEhIOL9NHLKhna2G7/3TdiyI18Ki9FVKtliFOmIQoX+ghy98GD+ Y+ZBazVrdK2qapeWm22eDTN/Wzh53rO5oKv7CkTLY1SvNbSn3RiuC6CDdS+ZJ+hW NLDTWs9yiDUXAS/iu3uYuo3Is92pG8JUsJlKxLj+1dgyI8Jvei6hkG6+kTnWvaiU xOFvhjEFGETYAUPhqVN9CokBLM3YwgH4AMV4vnKPq7qYbDZC14qfg7bv+cGYAe4w 552op9ZHxu9ikXsc2M6KPTzTzCer5zP/6zKb6aypyMu3uyvZT6RUY6TvRVfxAbw2 wGbJURNlHhRWRPiogpSDeIx56dDoyZPvDwxsOuKJTIxEKXR/VZMoBrPwVg/svG78 VFWeYN9B79Hi4NiwPitXqy9pEBKMWRALl7YnEX7EkejlqSU4oPbHHC0Whogu1B7A T08MYinkvhmccaGAkf06qSjv8/e1pSRjBBwuun1i9FJuexBEQgY= =KQ83 -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
