Bug 19419

Summary: zookeeper new security issue CVE-2016-5017
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/701141/
Whiteboard: MGA5-64-OK advisory
Source RPM: zookeeper-3.4.6-4.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-09-19 22:27:16 CEST 
Debian-LTS has issued an advisory on September 18:
http://lwn.net/Alerts/701123/

I'm not sure which versions are affected.
Comment 1 David GEIGER 2016-09-20 06:39:51 CEST 
Done for mga5 and Cauldron!
Comment 2 David Walser 2016-09-20 15:42:08 CEST 
Thanks David!

Advisory:
========================

Updated zookeeper packages fix security vulnerability:

Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache
Zookeeper were affected by a buffer overflow vulnerability associated with
parsing of the input command when using the "cmd:" batch mode syntax. If the
command string exceeds 1024 characters a buffer overflow will occur
(CVE-2016-5017).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5017
http://lwn.net/Alerts/701123/
========================

Updated packages in core/updates_testing:
========================
zookeeper-3.4.5-25.1.mga5
libzookeeper2-3.4.5-25.1.mga5
libzookeeper-devel-3.4.5-25.1.mga5
zookeeper-lib-doc-3.4.5-25.1.mga5
zookeeper-java-3.4.5-25.1.mga5
zookeeper-javadoc-3.4.5-25.1.mga5
python-ZooKeeper-3.4.5-25.1.mga5
zookeeper-server-3.4.5-25.1.mga5

from zookeeper-3.4.5-25.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: geiger.david68210 => qa-bugs

Comment 3 Len Lawrence 2016-09-25 17:29:20 CEST 
x86_64 test
From Wikipedia:
Zookeeper is essentially a distributed hierarchical key-value store, which is used to provide a distributed configuration service, synchronization service, and naming registry for large distributed systems.  Which leaves me scratching my head.

Installed the packages pre-update.  Only one problem:
installing zookeeper-server-3.4.5-25.mga5.noarch.rpm
      1/1: zookeeper-server      #############################################
Failed to open 'zookeeper.conf', ignoring: No such file or directory
The package installed though.
$ sudo systemctl start zookeeper-server
Failed to start zookeeper-server.service: Unit zookeeper-server.service failed to load: No such file or directory.

Ignored that and proceeded to install the updates.
Note that two cli interfaces are provided and that the upstream reports recommend using the java one.  This update concerns the C interface.
The updates installed cleanly.  This is about all we can do for this one unless there is somebody in QA who knows how to exercise zookeeper and the java cli.

A tentative OK.

CC: (none) => tarazed25

Len Lawrence 2016-09-25 17:30:31 CEST

Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-09-28 04:21:06 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-09-28 08:00:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0328.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED