Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2

[Bastien Roucariès]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: zookeeper at packages.debian.org
Control: affects -1 + src:zookeeper
User: release.debian.org at packages.debian.org
Usertags: pu


[ Reason ]
CVE-2024-23944 (Closes: #1066947):
    An information disclosure in persistent watchers handling was found in
    Apache ZooKeeper due to missing ACL check.  It allows an attacker to
    monitor child znodes by attaching a persistent watcher (addWatch
    command) to a parent which the attacker has already access
    to. ZooKeeper server doesn't do ACL check when the persistent watcher
    is triggered and as a consequence, the full path of znodes that a
    watch event gets triggered upon is exposed to the owner of the
    watcher. It's important to note that only the path is exposed by this
    vulnerability, not the data of znode, but since znode path can contain
    sensitive information like user name or login ID, this issue is
    potentially critical.

[ Impact ]
CVE-2024-23944 is not fixed

[ Tests ]
Full upstream testsuite run at build time

[ Risks ]
None know

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
See debdiff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff.diff
Type: text/x-patch
Size: 56729 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20240412/f585a583/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20240412/f585a583/attachment-0001.sig>