Bug#990345: zookeeper: various security issues
tony mancill
tmancill at debian.org
Sat Jul 17 18:08:19 BST 2021
On Fri, Jul 16, 2021 at 06:43:53AM +0200, Christoph Anton Mitterer wrote:
> On Thu, 2021-07-15 at 21:18 -0700, tony mancill wrote:
> > This is certainly a valid point. There is not time to change the
> > situation for bullseye aside from filing an RM bug to prevent the
> > package from shipping with the release. That would impact transitive
> > dependencies of which I believe activemq is the most significant.
>
> Would it be possible to provide a more current version via backports...
> I mean if it's not possible to get it in via some stable-update or so?
Yes, this should be possible. I believe we would need to call the
package zookeeper35 or zookeeper36.
> > As an aside, I took a quick look at the latest upstream activemq
> > source
> > release (https://activemq.apache.org/activemq-5016002-release) and it
> > specifies zookeeper 3.4.14 in its pom.xml (which makes me feel a
> > little
> > better).
>
> Isn’t that just telling the minimum version that works with it - not
> what they'd consider a safe use from a security PoV?
I don't recall there being API issues (although I need to check), but we
encountered problems at my $dayjob trying to use ZK 3.5 libraries in
applications interacting with ZK 3.4 servers. IIRC, the issue has to do
with TTL nodes and was problematic enough that we ended up forking the
application to have ZK 3.4 and ZK 3.5 variants.
> > We can work on addressing the situation in bookworm. (One idea I
> > would
> > propose is paring down the package to build just libzookeeper-java,
> > because I imagine that many people use the Debian package to run
> > their
> > ZooKeeper ensembles, although maybe that's not true.)
>
> Well I for example use the daemon, too, but the software from which I
> use it would anyway already require some newer version and doesn't work
> with 3.4 anymore.
> So for me that wouldn't matter much.
It's good to know that there are users of the package. (For my $dayjob
use case, ZK deployments are now container-based using the upstream
binary distribution.)
I will set aside some time to look at what it would take to build a
ZK 3.6 package against Debian and we can continue the discussion.
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210717/247a8856/attachment.sig>
More information about the pkg-java-maintainers
mailing list