Bug#990345: zookeeper: various security issues

tony mancill tmancill at debian.org
Fri Jul 16 05:18:11 BST 2021


On Sun, Jun 27, 2021 at 03:12:35PM +0200, Christoph Anton Mitterer wrote:
> On Sun, 2021-06-27 at 14:46 +0200, Salvatore Bonaccorso wrote:
> > To me this looks like CVEs in other products, but which zookeeper
> > uses
> > as dependency? Is this correct?
> 
> Indeed, but I couldn't find that the zookeeper package depends on these
> while it does contain:
> zookeeper-3.4.13/src$ find . -iname "*nett*"
> ./java/main/org/apache/zookeeper/server/NettyServerCnxnFactory.java
> ./java/main/org/apache/zookeeper/server/NettyServerCnxn.java
> ./java/test/org/apache/zookeeper/server/NettyServerCnxnTest.java
> ./java/test/org/apache/zookeeper/test/NioNettySuiteTest.java
> ./java/test/org/apache/zookeeper/test/NioNettySuiteHammerTest.java
> ./java/test/org/apache/zookeeper/test/NioNettySuiteBase.java
> 
> 
> ... so I figured these might still be affected?

The Debian package disables building against Netty via this patch:

https://salsa.debian.org/java-team/zookeeper/-/blob/master/debian/patches/13-disable-netty-connection-factory.patch

> And apart from that... if they apparently don't support older versions
> anymore, we'd like not even notice should these contain any security
> issues.

This is certainly a valid point.  There is not time to change the
situation for bullseye aside from filing an RM bug to prevent the
package from shipping with the release.  That would impact transitive
dependencies of which I believe activemq is the most significant.

As an aside, I took a quick look at the latest upstream activemq source
release (https://activemq.apache.org/activemq-5016002-release) and it
specifies zookeeper 3.4.14 in its pom.xml (which makes me feel a little
better).

We can work on addressing the situation in bookworm.  (One idea I would
propose is paring down the package to build just libzookeeper-java,
because I imagine that many people use the Debian package to run their
ZooKeeper ensembles, although maybe that's not true.) 

Help is always appreciated.  

Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210715/245c3ad0/attachment.sig>


More information about the pkg-java-maintainers mailing list