Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

tony mancill tmancill at debian.org
Wed Jun 5 06:01:09 BST 2019 

On Fri, May 31, 2019 at 09:01:12AM +0200, Salvatore Bonaccorso wrote:
> Hi Tony,
> 
> On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> > On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > > Looks fine, but can you please also include the test case upstream added?
> > > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > > we should at least ship/run the test case.
> > > 
> > > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > > in the next day or so.
> > 
> > As an update...
> > 
> > Regarding the upload of a patched 3.4.13 for buster and unstable,
> > cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> > straight-forward and complete [1].  The package is building, etc.
> > 
> > The delay is that the tests for the Debian package aren't in a state
> > where they are easy to run.  This predates this issue, going back to the
> > changes made when netty 3.9 was removed from Debian.  Since the changes
> > to the packaging and patches to re-enable tests would be extensive (I am
> > still working through them), I'm not certain that they will be suitable
> > for an upload during the freeze.  At a minimum, I intend to get them
> > working locally and push a branch so that others can verify, as well as
> > run the updated ZK through some local smoke-testing that validates the
> > ACL change.
> 
> Thanks for giving an update on the state!

Hi Salvatore - 

Apologies again for the delay.  The zookeeper package tests are in rough
shape and I wasn't able to get all tests passing even after installing
libjetty-3.9-java in a local chroot and some hacking.  The
work-in-progress 3.4.13-2+test branch is on Salsa [1], but getting the
tests into good working order will be a goal for buster.

However, I did verify the following before uploading:

- the test results between 3.4.13-1 and 3.4.13-2 are the same, meaning
  no regressions
- the newly added FinalRequestProcessorTest in 3.4.13-2 passes
- I could reproduce the ACL information disclosure on 3.4.13-1
- 3.4.13-2 no longer freely shares ACLs on nodes with ACLs that prevent
  unauthorized reading

I have just uploaded to unstable [2] and will request an unblock for
buster.

Thank you,
tony

[1] https://salsa.debian.org/java-team/zookeeper/tree/3.4.13-2+test
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190604/45997ead/attachment.sig>

More information about the pkg-java-maintainers mailing list