Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
tony mancill
tmancill at debian.org
Thu May 30 14:47:33 BST 2019
On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > Looks fine, but can you please also include the test case upstream added?
> > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > we should at least ship/run the test case.
>
> I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> in the next day or so.
As an update...
Regarding the upload of a patched 3.4.13 for buster and unstable,
cherry-picking and adapting the upstream patch from the 3.4.14 branch is
straight-forward and complete [1]. The package is building, etc.
The delay is that the tests for the Debian package aren't in a state
where they are easy to run. This predates this issue, going back to the
changes made when netty 3.9 was removed from Debian. Since the changes
to the packaging and patches to re-enable tests would be extensive (I am
still working through them), I'm not certain that they will be suitable
for an upload during the freeze. At a minimum, I intend to get them
working locally and push a branch so that others can verify, as well as
run the updated ZK through some local smoke-testing that validates the
ACL change.
Cheers,
tony
[1] https://salsa.debian.org/java-team/zookeeper/commit/41265b610149bd708232e40faf945f3c79b60b85
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190530/792a596f/attachment.sig>
More information about the pkg-java-maintainers
mailing list