[Git][security-tracker-team/security-tracker][master] CVE-2024-23944/zookeeper bullseye

Bastien Roucariès (@rouca) rouca at debian.org
Wed Jan 1 12:40:16 GMT 2025 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6e7c42da by Bastien Roucariès at 2025-01-01T12:39:08+00:00
CVE-2024-23944/zookeeper bullseye

Add ignored for bullseye

CVE-2024-23944  should be marked ignored for older release:
- Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. This is needed for exploit
- according to upstream  classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not
known in advance is not possible. Nevertheless classical watch leaks some information.
- this is only a information leak and limited so for me minor
- it will be hard to fix (no upstream support EOL upstream)

See https://lists.debian.org/debian-lts/2024/12/msg00078.html

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -83100,7 +83100,7 @@ CVE-2024-28752 (A SSRF vulnerability using the Aegis DataBinding in versions of
 CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache ZooKe ...)
 	- zookeeper 3.9.2-1 (bug #1066947)
 	[bookworm] - zookeeper <no-dsa> (Minor issue)
-	[bullseye] - zookeeper <no-dsa> (Minor issue)
+	[bullseye] - zookeeper <ignored> (Minor issue; hard to backport)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/03/14/2
 	NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-4799
 	NOTE: Fixed by: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d (release-3.8.4-0)
@@ -83109,6 +83109,7 @@ CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache
 	NOTE: See https://issues.apache.org/jira/browse/ZOOKEEPER-1416
 	NOTE: However, classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not
 	NOTE: known in advance is not possible. Nevertheless classical watch leaks some information.
+	NOTE: LTS status see https://lists.debian.org/debian-lts/2024/12/msg00078.html
 CVE-2024-2746 (Incomplete fix for CVE-2024-1929  The problem with CVE-2024-1929 was t ...)
 	NOT-FOR-US: dnf5daemon-server
 CVE-2024-1930 (No Limit on Number of Open Sessions / Bad Session Close Behaviour  in  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7c42da686d64884c84878398618435c95230a5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7c42da686d64884c84878398618435c95230a5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250101/bd527558/attachment.htm>

More information about the debian-security-tracker-commits mailing list