-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 16 Jun 2024 10:40:07 +0000 Source: zookeeper Architecture: source Version: 3.8.0-11+deb12u2 Distribution: bookworm Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Bastien Roucariès Closes: 1066947 Changes: zookeeper (3.8.0-11+deb12u2) bookworm; urgency=medium . * Team upload * Bug fix: CVE-2024-23944 (Closes: #1066947): An information disclosure in persistent watchers handling was found in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical. * Add salsa CI Checksums-Sha1: 81ca0b48adc053850801ea043f46dd3d53e7587a 3824 zookeeper_3.8.0-11+deb12u2.dsc 4bfcbf1098a8db98a496186edbcb4fec01fbf6b0 99540 zookeeper_3.8.0-11+deb12u2.debian.tar.xz 9ef7d706aa4549ecb2d51c320eb8df694dd5e53e 24622 zookeeper_3.8.0-11+deb12u2_amd64.buildinfo Checksums-Sha256: a41c5eef50f98609f2dc69a24625b06564131b68c723ed14e5f26dd8693995a5 3824 zookeeper_3.8.0-11+deb12u2.dsc c2fca81a9bf80b6bf93cdb78366a60e1d9e561fd664c85db7cddc21d200c9540 99540 zookeeper_3.8.0-11+deb12u2.debian.tar.xz 205f527c55255f4610cbb404e7732c760d563ea7593d697324aa3738ec604f0a 24622 zookeeper_3.8.0-11+deb12u2_amd64.buildinfo Files: c36edab4fa084f0e2137a90009627696 3824 java optional zookeeper_3.8.0-11+deb12u2.dsc 484c36535d1f03f1791491d5ba5fd906 99540 java optional zookeeper_3.8.0-11+deb12u2.debian.tar.xz 510b67344532ab429e8defaffbc42968 24622 java optional zookeeper_3.8.0-11+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmdn+ucRHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF/TGw/5AS+A2EuL/aQojYu4gD8h/tgQIGzfqgmC bnqzpGBLG+sBROwjMNZ3H6UMLshruV9MReLQS2KybskRmA3n3ImKT9SRXchRate/ I7VSdl/wopU205AUuXYmYF0cL1PZ92RVVFHeXNJgz1mWOxjF/w8q8Fsg7ArFprwy AEwKo/B7cqCYGzgInDW1DZbj1zse2HrD5Vf3vafFo3+HJ1dJjqka0kaWTAAhR7eB ryUhlwjKyR0QvQZM6mcxKsg1bitidUBTQTiniQshfS30mWsENQ6MfDX5EfsCiUxX D7wzr25/cp2/NuwxHqq1z1aE6/0Bw60K4ovJ+1BDMY7BE1vjycIhThM/xFBC0Uet /bcIetxIKDdvoXWhYzapwQcgLr5JjOMhqxwjgoWqF59fxojTWE1MMmvWBq5YK2gT 3qbmFdLTReDk4bHUgAhQCV1qRYouyBF+O4O1TjOatUhynUFwcTel8wGxvcldwqZu 9f+1XT28OZQoGGmbmQwZmq/uUGWM9/096MCELih1d3u8wIuXeEC/pmYkU7hoDq4/ th7leGcJSY7Qf6A6Njaf7gEY6RQ6ZJFUwdshBa8DeYcyW2Mv3cUnH87WkmSBrYZ8 wRfJkP7A2Z/SXfLXtDt+lpMlbn+3tL/OmkiM7NX87++hjjl9nwhXXwbFuTSPbpzZ OLBt09Ux/+E= =Fsf6 -----END PGP SIGNATURE-----