Bug#990345: zookeeper: various security issues
Christoph Anton Mitterer
calestyo at scientia.net
Fri Jul 16 05:43:53 BST 2021
On Thu, 2021-07-15 at 21:18 -0700, tony mancill wrote:
> The Debian package disables building against Netty via this patch:
> https://salsa.debian.org/java-team/zookeeper/-/blob/master/debian/patches/13-disable-netty-connection-factory.patch
Ah I see.
> This is certainly a valid point. There is not time to change the
> situation for bullseye aside from filing an RM bug to prevent the
> package from shipping with the release. That would impact transitive
> dependencies of which I believe activemq is the most significant.
Would it be possible to provide a more current version via backports...
I mean if it's not possible to get it in via some st
able-update or so?
> As an aside, I took a quick look at the latest upstream activemq
> source
> release (https://activemq.apache.org/activemq-5016002-release) and it
> specifies zookeeper 3.4.14 in its pom.xml (which makes me feel a
> little
> better).
Isn’t that just telling the minimum version that works with it - not
what they'd consider a safe use from a security PoV?
> We can work on addressing the situation in bookworm. (One idea I
> would
> propose is paring down the package to build just libzookeeper-java,
> because I imagine that many people use the Debian package to run
> their
> ZooKeeper ensembles, although maybe that's not true.)
Well I for example use the daemon, too, but the software from which I
use it would anyway already require some newer version and doesn't work
with 3.4 anymore.
So for me that wouldn't matter much.
Thanks,
Chris.
More information about the pkg-java-maintainers
mailing list