zookeeper (3.9.2-1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/java-team/zookeeper.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 827392
- Browser: https://salsa.debian.org/java-team/zookeeper
- Last scan: 2024-04-21 21:59:13+00
- Next scan: 2024-04-29 18:51:00+00
- Merge requests: 1
- Debian changelog in Git:
zookeeper (3.9.2-1) unstable; urgency=medium
* Team upload
* New upstream version 3.9.2
* Bug fix: CVE-2024-23944 (Closes: #1066947):
An information disclosure in persistent watchers handling was found in
Apache ZooKeeper due to missing ACL check. It allows an attacker to
monitor child znodes by attaching a persistent watcher (addWatch
command) to a parent which the attacker has already access
to. ZooKeeper server doesn't do ACL check when the persistent watcher
is triggered and as a consequence, the full path of znodes that a
watch event gets triggered upon is exposed to the owner of the
watcher. It's important to note that only the path is exposed by this
vulnerability, not the data of znode, but since znode path can contain
sensitive information like user name or login ID, this issue is
potentially critical.
* Let sysvinit init script depend on networking (Closes: #1025042)
* Add salsa CI
* Refresh patches
-- Bastien Roucariès <rouca@debian.org> Sun, 24 Mar 2024 21:19:51 +0000
- This branch is even with tag debian/3.9.2-1