Bug#929283: zookeeper: CVE-2019-0201: information disclosure vulnerability
Salvatore Bonaccorso
carnil at debian.org
Fri May 31 08:01:12 BST 2019
Hi Tony,
On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > Looks fine, but can you please also include the test case upstream added?
> > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > we should at least ship/run the test case.
> >
> > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > in the next day or so.
>
> As an update...
>
> Regarding the upload of a patched 3.4.13 for buster and unstable,
> cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> straight-forward and complete [1]. The package is building, etc.
>
> The delay is that the tests for the Debian package aren't in a state
> where they are easy to run. This predates this issue, going back to the
> changes made when netty 3.9 was removed from Debian. Since the changes
> to the packaging and patches to re-enable tests would be extensive (I am
> still working through them), I'm not certain that they will be suitable
> for an upload during the freeze. At a minimum, I intend to get them
> working locally and push a branch so that others can verify, as well as
> run the updated ZK through some local smoke-testing that validates the
> ACL change.
Thanks for giving an update on the state!
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list