Bug 21014

Summary: zookeeper new security issue CVE-2017-5637
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: zookeeper-3.4.9-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-06-02 12:14:59 CEST 
Debian has issued an advisory on June 1:
https://www.debian.org/security/2017/dsa-3871

Mageia 5 is also affected.
David Walser 2017-06-02 12:15:10 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA5TOO

Comment 1 David GEIGER 2017-06-02 16:39:20 CEST 
Fixed for cauldron! but unfortunately for mga5 it doesn't build with the debian patch:

/home/iurt/rpmbuild/BUILD/zookeeper-3.4.5/src/java/test/org/apache/zookeeper/test/FourLetterWordsWhiteListTest.java:165: error: cannot find symbol
String sid = getHexSessionId(zk.getSessionId());


/home/iurt/rpmbuild/BUILD/zookeeper-3.4.5/src/java/test/org/apache/zookeeper/test/FourLetterWordsWhiteListTest.java:250: error: method send4LetterWord in class FourLetterWordMain cannot be applied to given types;
return send4LetterWord(hpobj.host, hpobj.port, cmd, timeout);
Comment 2 David Walser 2017-06-04 17:11:16 CEST 
Weird, since Debian has 3.4.5 also.  Do we need another patch from them?

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 3 David Walser 2017-10-10 03:16:52 CEST 
This issue can also be fixed by upgrading to 3.4.10.

Very late advisory from upstream for this from today (October 9):
http://openwall.com/lists/oss-security/2017/10/09/10
Comment 4 David Walser 2017-12-27 05:06:48 CET 
We won't be fixing this type of package for Mageia 5.

Resolution: (none) => OLD
Status: NEW => RESOLVED