19419 – zookeeper new security issue CVE-2016-5017

Bug 19419 - zookeeper new security issue CVE-2016-5017

Summary: zookeeper new security issue CVE-2016-5017

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/701141/
Whiteboard:	MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-09-19 22:27 CEST by David Walser
Modified:	2016-09-28 08:00 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	zookeeper-3.4.6-4.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-09-19 22:27:16 CEST

Debian-LTS has issued an advisory on September 18:
http://lwn.net/Alerts/701123/

I'm not sure which versions are affected.

Comment 1 David GEIGER 2016-09-20 06:39:51 CEST

Done for mga5 and Cauldron!

Comment 2 David Walser 2016-09-20 15:42:08 CEST

Thanks David!

Advisory:
========================

Updated zookeeper packages fix security vulnerability:

Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache
Zookeeper were affected by a buffer overflow vulnerability associated with
parsing of the input command when using the "cmd:" batch mode syntax. If the
command string exceeds 1024 characters a buffer overflow will occur
(CVE-2016-5017).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5017
http://lwn.net/Alerts/701123/
========================

Updated packages in core/updates_testing:
========================
zookeeper-3.4.5-25.1.mga5
libzookeeper2-3.4.5-25.1.mga5
libzookeeper-devel-3.4.5-25.1.mga5
zookeeper-lib-doc-3.4.5-25.1.mga5
zookeeper-java-3.4.5-25.1.mga5
zookeeper-javadoc-3.4.5-25.1.mga5
python-ZooKeeper-3.4.5-25.1.mga5
zookeeper-server-3.4.5-25.1.mga5

from zookeeper-3.4.5-25.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: geiger.david68210 => qa-bugs

Comment 3 Len Lawrence 2016-09-25 17:29:20 CEST

x86_64 test
From Wikipedia:
Zookeeper is essentially a distributed hierarchical key-value store, which is used to provide a distributed configuration service, synchronization service, and naming registry for large distributed systems.  Which leaves me scratching my head.

Installed the packages pre-update.  Only one problem:
installing zookeeper-server-3.4.5-25.mga5.noarch.rpm
      1/1: zookeeper-server      #############################################
Failed to open 'zookeeper.conf', ignoring: No such file or directory
The package installed though.
$ sudo systemctl start zookeeper-server
Failed to start zookeeper-server.service: Unit zookeeper-server.service failed to load: No such file or directory.

Ignored that and proceeded to install the updates.
Note that two cli interfaces are provided and that the upstream reports recommend using the java one.  This update concerns the C interface.
The updates installed cleanly.  This is about all we can do for this one unless there is somebody in QA who knows how to exercise zookeeper and the java cli.

A tentative OK.

CC: (none) => tarazed25

Len Lawrence 2016-09-25 17:30:31 CEST

Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-09-28 04:21:06 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-09-28 08:00:30 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0328.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.