Bug 23074

Summary: zookeeper new security issues CVE-2018-8012 and CVE-2019-0201
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: mageia
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: zookeeper-3.4.9-2.mga6.src.rpm CVE: CVE-2018-8012 CVE-2019-0201
Status comment: Patches available from Debian

Description David Walser 2018-05-23 01:32:19 CEST 
Apache has issued an advisory on May 21:
http://openwall.com/lists/oss-security/2018/05/21/6

The issue is fixed upstream in 3.4.10.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-05-23 01:32:30 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-06-08 22:12:25 CEST 
Debian has issued an advisory for this on June 1:
https://www.debian.org/security/2018/dsa-4214
David Walser 2019-02-03 01:39:24 CET

Status comment: (none) => Patch available from Debian

Comment 2 David Walser 2019-05-21 03:07:47 CEST 
Apache has issued an advisory today (May 20):
https://www.openwall.com/lists/oss-security/2019/05/20/1

The issue is fixed upstream in 3.4.14.

Mageia 6 is also affected.

Summary: zookeeper new security issue CVE-2018-8012 => zookeeper new security issues CVE-2018-8012 and CVE-2019-0201

David Walser 2019-06-23 19:30:24 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 3 David Walser 2019-08-11 22:22:26 CEST 
Debian has issued an advisory for the latter issue on June 12:
https://www.debian.org/security/2019/dsa-4461

Status comment: Patch available from Debian => Patches available from Debian

Comment 4 David Walser 2020-04-23 21:00:47 CEST 
SUSE has issued an advisory on April 22:
http://lists.suse.com/pipermail/sle-security-updates/2020-April/006723.html

The CVE-2017-5637 issue is fixed upstream in 3.4.10.

Summary: zookeeper new security issues CVE-2018-8012 and CVE-2019-0201 => zookeeper new security issues CVE-2017-5637, CVE-2018-8012, and CVE-2019-0201

Nicolas Lécureuil 2020-05-22 14:07:27 CEST

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
CC: (none) => mageia

Comment 5 Nicolas Lécureuil 2020-06-01 17:20:01 CEST 
to test CVE-2017-5637 https://vulners.com/exploitdb/EDB-ID:41277  from: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
Nicolas Lécureuil 2020-06-01 17:22:11 CEST

CVE: (none) => CVE-2018-8012 CVE-2019-0201
Summary: zookeeper new security issues CVE-2017-5637, CVE-2018-8012, and CVE-2019-0201 => zookeeper new security issues CVE-2018-8012, and CVE-2019-0201

Comment 6 Nicolas Lécureuil 2020-06-01 17:39:02 CEST 
patch for CVE-2018-8012 added on svn
Comment 7 David Walser 2020-06-01 17:48:52 CEST 
CVE-2017-5637 is fixed in 3.4.89, see Comment 4.  Either we need to add the patch or update.

CVE: CVE-2018-8012 CVE-2019-0201 => CVE-2017-5637 CVE-2018-8012 CVE-2019-0201
Summary: zookeeper new security issues CVE-2018-8012, and CVE-2019-0201 => zookeeper new security issues CVE-2017-5637, CVE-2018-8012, and CVE-2019-0201

Comment 8 Nicolas Lécureuil 2020-06-01 18:35:39 CEST 
# Debian patches:
Patch100:      zookeeper-3.4.9-CVE-2017-5637.patch


this is already on mga7 and mga8 in svn since a long time.  ( before mga7 Mass Rebuild ) ( this was to fix https://bugs.mageia.org/show_bug.cgi?id=21014 )
Comment 9 David Walser 2020-06-01 19:04:07 CEST 
Nice, not sure how I missed that.

Summary: zookeeper new security issues CVE-2017-5637, CVE-2018-8012, and CVE-2019-0201 => zookeeper new security issues CVE-2018-8012 and CVE-2019-0201
CVE: CVE-2017-5637 CVE-2018-8012 CVE-2019-0201 => CVE-2018-8012 CVE-2019-0201

Comment 10 Nicolas Lécureuil 2020-12-27 15:40:42 CET 
Not available on mageia 8 anymore

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 11 David Walser 2021-07-01 18:16:15 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD