Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability

[Salvatore Bonaccorso]

Hi Tony,

On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > Looks fine, but can you please also include the test case upstream added?
> > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > we should at least ship/run the test case.
> > 
> > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > in the next day or so.
> 
> As an update...
> 
> Regarding the upload of a patched 3.4.13 for buster and unstable,
> cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> straight-forward and complete [1].  The package is building, etc.
> 
> The delay is that the tests for the Debian package aren't in a state
> where they are easy to run.  This predates this issue, going back to the
> changes made when netty 3.9 was removed from Debian.  Since the changes
> to the packaging and patches to re-enable tests would be extensive (I am
> still working through them), I'm not certain that they will be suitable
> for an upload during the freeze.  At a minimum, I intend to get them
> working locally and push a branch so that others can verify, as well as
> run the updated ZK through some local smoke-testing that validates the
> ACL change.

Thanks for giving an update on the state!

Regards,
Salvatore