Bug#870271: zookeeper: insecure permissions of /var/lib/zookeeper

[Christoph Anton Mitterer]

Source: zookeeper
Severity: grave
Tags: security
Justification: user security hole


Hi.

It seems there is a grave permission issue in the zookeeper package,
namely that /var/lib/zookeeper is created world-readable.
Since ZK creates its files word-readable as well, any user on the system
can extract any data stored with ZK, which can easily contain very
sensitive information on the clustered system relying on ZK.


Cheers,
Chris.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869912: zookeeper: JMX opened for remote hosts

[Christoph Anton Mitterer]

On Fri, 2017-07-28 at 17:05 -0700, tony mancill wrote:
> I agree that the default configuration shouldn't come up with
> jmxremote.local.only=false.  It will addressed in the next upload.

Thanks :-)

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869914: zookeeperd: allow an easy way to disable JMX altogether

[Christoph Anton Mitterer]

Package: zookeeperd
Severity: wishlist


Hi.

The upstream zkServer.sh server management script gives a nice way to control 
JMX
settings (i.e. also whether to enable it or not), by having
JMXDISABLE="" or JMXDISABLE="false"

The systemd unit however *always* enables JMX. Of course one can override this, 
but
would be nicer if there was a similar option that can be used
and all the creepy classes and weird java options (should that ever change) is
handled out of the box for the user.


Cheers,
Chris

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869912: zookeeper: JMX opened for remote hosts

[Christoph Anton Mitterer]

Source: zookeeper
Severity: important
Tags: security


Hi.

I've noticed that in:
 /etc/zookeeper/conf/environment
the following is set
 JMXLOCALONLY=false
which in turn sets
 com.sun.management.jmxremote.local.only=false

Is there any reason for this? It's neither the default in Java
(see e.g. 
http://www.oracle.com/technetwork/java/javase/compatibility-417013.html)
nor does it sound particularly secure if any remote host can connect to
JMX.

Cheers,
Chris.


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.11.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869901: zookeeper: update example zoo.conf to current config options

[Christoph Anton Mitterer]

Source: zookeeper
Severity: wishlist


Hi.

The Debian package provide it's own example zoo.conf file with inline 
documentation.

This is nice, but it lacks several options and their descriptions and defaults 
available
in the current ZK version, e.g. globalOutstandingLimit (kinda messed up with 
snapCount),
maxClientCnxns, clientPortAddress, minSessionTimeout, maxSessionTimeout,
fsync.warningthresholdms, autopurge.snapRetainCount, autopurge.purgeInterval, 
syncEnabled,
electionAlg, group.X, weight.X, cnxTimeout, readonlymode.enabled, 
zookeeper.forceSync,
jute.maxbuffer, skipACL, quorumListenOnAllIPs and zookeeper.serverCnxnFactory

OTOH, traceFile doesn't show up in the documentation of 3.4.9.


Also some defaults are wrong, e.g. according to the admin guide, the default for
snapCount=10, however the example conf implies it would be 1 (while it 
sets
a (commented) value of 1000).


Cheers,
Chris.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869840: zookeeper: merge zookeeper and zookeeperd packages

[Christoph Anton Mitterer]

On Wed, 2017-07-26 at 22:15 -0700, tony mancill wrote:
> Maybe the idea was that a user might want to
> install the management tools on a system that isn't also a zk server,
> and that installing zookeeperd is the differentiating factor?

Then it would perhaps be better to split out the management tools :-)


> Thank you for the bug report.  Perhaps we can get some input from
> other
> users or developers.  I will work on cleaning up the description and
> the
> init files in zookeeperd.

Thanks :-)

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869841: zookeeper: config file handling

[Christoph Anton Mitterer]

Source: zookeeper
Severity: normal


Hi.

Two thoughts about the config files:
1) Example configuration as in /etc/zookeeper/conf_example
   should typically go to /usr/share/doc//examples
   At least that what's basically all other packages do.

2) If you consider this however default configuration, it should
   either go to /usr/share/zookeper/somewhere or so, and symlinked
   from there... or be directly copied (from there or
   /u/s/d//examples) to /etc/zookeeper in postinst.
   Or altnerative, be handled as conffiles an just directly placed
   in /etc/zookeeper.

3) Using update-alternatives for config is at least uncommon, I think.
   And it doesn't seem to make much sense, does it?
   When should one have different config set *per host* that admins
   want to switch?

   And there is no real documentation about it, or is there? I had
   to look up the postinst file just to fine out the u-a group name
   to be zookeeper-conf.


Cheers,
Chris.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#869840: zookeeper: merge zookeeper and zookeeperd packages

[Christoph Anton Mitterer]

Source: zookeeper
Severity: wishlist


Hi.

Is there any bigger reason for having the daemon split from its
init files?

Most daemon packages in Debian don't do this, zookeeperd contains
only few small files so there is no real space benefit.


I have absolutely nothing against if you don't want to have the
daemon started just by installing the package, but this can also
be achieved with the init files in the main package :-)


At least zookeeperd should suggest zookeeperd.


Further, zookeeperd has a package description of:
>This package contains init.d scripts to start and stop zookeeper and starts 
>zookeeper on installation.
however it also contains systemd and even still upstart init files
(the later can probably be dropped, now that upstream is dead).


Cheers,
Chris.

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#867861: RFP: zktop -- top for Apache ZooKeeper

[Christoph Anton Mitterer]

Package: wnpp
Severity: wishlist

* Package name: zktop
  Version : 1.0.0
  Upstream Author : Patrick Hunt 
* URL : https://github.com/phunt/zktop
* License : Apache License Version 2.0
  Programming Lang: Python
  Description : top for Apache ZooKeeper

Provides a unix “top” like utility for ZooKeeper.
It is compatible with Python2.6, Python2.7 and Python3.
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#794913: libphonenumber6: please use libboost-date-time 1.57 or 1.58 ASAP

[Christoph Anton Mitterer]

Control: severity -1 normal
Control: retitle -1 libphonenumber6: please use libboost-date-time 1.57 or 1.58

Simon McVittie was so kind to disable libphonenumber6 in evolution for
now and rebuild the package with that.
So I guess the severity of this can be lowered again, as this doesn't
block updating anymore :)

Cheers,
Chris.

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793215: antlr: change of type in system_error might break with GCC-5

[Christoph Anton Mitterer]

On Sun, 2015-08-09 at 23:24 +0200, Christoph Anton Mitterer wrote:
 or get Matthias to bring out a new version
 which has the Breaks removed :-)
Oh I've just seen that this has apparently already happened.

So I guess this bug can be closed, can't it?

Thanks,
Chris.

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793215: antlr: change of type in system_error might break with GCC-5

[Christoph Anton Mitterer]

On Sun, 2015-08-09 at 14:05 -0700, tony mancill wrote:
 Therefore, I'm inclined to close the bug as Matthias suggests.
But then you'd still need to reupload a new version in order to no
longer match the Breaks, or get Matthias to bring out a new version
which has the Breaks removed :-)

Best wishes,
Chris.

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#793215: antlr: change of type in system_error might break with GCC-5

[Christoph Anton Mitterer]

Hey.

Anything new here? That blocks upgrading to to current libstdc++6
(without removing a large number of packages) and thus also prevents
other packages (that already depend on newer libstdc++6) with important
security updates to be installed.

Shouldn't the severity been raised, as the package is unistallable?

Cheers,
Chris

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#794913: libphonenumber6: please use libboost-date-time 1.57 or 1.58 ASAP

[Christoph Anton Mitterer]

Subject: libphonenumber6: please use libboost-date-time 1.57 or 1.58 ASAP
Package: libphonenumber6
Version: 0.5.0-2
Severity: important


Hi.

libphonenumber6, depended upon by whole evolution, depends on
libboost-date-time1.55.0 which itself is not compatible
with the new libstdc++6 from GCC5.
Apparently this won't be reseloved (see #793222 or #794774).


That blocks upgrading to to current libstdc++6 (without removing
a large number of packages) and thus also prevents other
packages (that already depend on newer libstdc++6) with important
security updates to be installed.
  
Cheers,
Chris

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#794913: libphonenumber6: please use libboost-date-time 1.57 or 1.58 ASAP

[Christoph Anton Mitterer]

Hey.

I appreciate that you try to push in that matter,... but strictly
speaking, there is no security issue in this package, and also the
severity wouldn't be justified.

Some maintainers may not be too happy about that...


Cheers,
Chris.

smime.p7s
Description: S/MIME cryptographic signature
__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#724620: jedit: depends on soon-to-be-phased-out openjdk-6

[Christoph Anton Mitterer]

Package: jedit
Version: 5.0.0+dfsg-2
Severity: important


Hi.

OpenJDK 6 is about to go away... jedit should support OpenJDK 7 as well.

Cheers,
Chris.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.10-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages jedit depends on:
ii  dpkg   1.17.1
ii  java-wrappers  0.1.27
ii  openjdk-6-jre  6b27-1.12.6-1

jedit recommends no packages.

jedit suggests no packages.

-- no debconf information

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#626384: eclipse-cdt: new upstream release

[Christoph Anton Mitterer]

Package: eclipse-cdt
Version: 6.0.2-1
Severity: wishlist


Hi.

A new upstream release (7.0.2) is available.


Cheers,
Chris.



__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please 
use
debian-j...@lists.debian.org for discussions and questions.

Bug#441313: ...

[Christoph Anton Mitterer]

Anything new here? This is in the meantime so outdated, that the package
should be orphaned...

Cheers,
Chris.


smime.p7s
Description: S/MIME cryptographic signature
___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#432350: New upstream version 3.3.1.1

[Christoph Anton Mitterer]

Hi.

Is anything happening here?
It's quite embarrassing for Debian to only have such an outdated  
version of Eclipse (which is nearly identical to not having it at  
all), or no or only very old versions of the major plugins.


Chris.


This message was sent using IMP, the Internet Messaging Program.




___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#515935: change section to .../doc

[Christoph Anton Mitterer]

Package: libjmock-java-doc
Severity: wishlist

As this package contains documentation, shouldn't it be moved to the  
doc section?

Best wishes,
Chris.


This message was sent using IMP, the Internet Messaging Program.




___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#515929: change section to .../doc

[Christoph Anton Mitterer]

Package: libjgrapht-java-doc
Severity: wishlist

As this package contains documentation, shouldn't it be moved to the  
doc section?

Best wishes,
Chris.


This message was sent using IMP, the Internet Messaging Program.




___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#445578: eclipse-gcj depends on ecj-bootstrap-gcj which is obsolete

[Christoph Anton Mitterer]

Package: eclipse-gcj
Version: 3.2.2-3
Severity: normal

ecj-bootstrap-gcj is no longer obsolete and described as:
standalone version of the Eclipse Java compiler (transitional package)
This is a transitional package; it can safely be removed.

Best wishes,
Chris.



-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages eclipse-gcj depends on:
ii  ecj-bootstrap-gcj 3.3.0-2standalone version of the
Eclipse 
ii  eclipse   3.2.2-3Extensible Tool Platform
and Java 
ii  eclipse-jdt-gcj   3.2.2-3Java Development Tools
plug-ins fo
ii  eclipse-pde-gcj   3.2.2-3Plug-in Development
Environment to
ii  eclipse-platform-gcj  3.2.2-3Eclipse platform without
plug-ins 
ii  eclipse-rcp-gcj   3.2.2-3Eclipse rich client
platform (GCJ 
ii  java-gcj-compat-dev   1.0.76-5   Java runtime environment
with GCJ
ii  libswt3.2-gtk-gcj 3.2.2-3Fast and rich GUI toolkit
for Java

eclipse-gcj recommends no packages.

-- no debconf information





___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers

Bug#347576: java-package: support for Java Cryptography Extension (JCE)

[Christoph Anton Mitterer]

Package: java-package
Version: 0.27
Severity: wishlist

Hi.

First of all, great tool :-)

However. Would it be possible to support Suns Java Cryptography
Extension (JCE) - Unlimited Strength Jurisdiction Policy Files 5.0?

btw: What's the state on the other (very old) wishlist topics like
binfmt support, are these bugs/whishes dead?

Best wishes,
Chris.


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8)

Versions of packages java-package depends on:
ii  coreutils 5.93-5 The GNU core utilities
ii  debhelper 5.0.12 helper programs for
debian/rules
ii  fakeroot  1.5.6  Gives a fake root environment
ii  unzip 5.52-6 De-archiver for .zip files

java-package recommends no packages.

-- no debconf information



___
pkg-java-maintainers mailing list
pkg-java-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers