Bug#990345: zookeeper: various security issues
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 27 13:46:39 BST 2021
[Disclaimer, not the package maintainer, but quickly checked your
report for tracking within the security team]
On Sat, Jun 26, 2021 at 01:50:44PM +0200, Christoph Anton Mitterer wrote:
> Source: zookeeper
> Version: 3.4.13-6
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
>
> Hi.
>
> The release notes for https://zookeeper.apache.org/doc/r3.6.3/releasenotes.html
> list various security issues:
> CVE-2020-25649
> CVE-2021-21295
> CVE-2021-28165
> CVE-2021-21409
>
> It's a bit unclear to me whether 3.4 is affected to, but since 3.5.x versions seem
> to be, I'd guess the issues go back longer and may affect 3.4 as well.
>
> I would guess that 3.4.x has no upstream support anymore.
To me this looks like CVEs in other products, but which zookeeper uses
as dependency? Is this correct? CVE-2021-21409 is for instance for
netty and fixed in 1:41.48-4 and in DSA 4885-1.
CVE-20202-25649 was in jackson-databind. Similar for the other CVEs
mentioned in the release notes, and they usually refer to "upgrate X.Y
to version [...], dependency check, etc.
I have not (yet) checked the respective imapct and if something needs
to be changed about those specifically in zookeeper.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list