Discussion:
Processed: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
(too old to reply)
Debian Bug Tracking System
2024-04-12 22:30:02 UTC
Permalink
affects -1 + src:zookeeper
Bug #1068888 [release.debian.org] bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Added indication that 1068888 affects src:zookeeper
--
1068888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068888
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-06-15 23:00:01 UTC
Permalink
Control: tag -1 moreinfo

Hi,
diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog
--- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.000000000 +0000
+++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.000000000 +0000
@@ -1,3 +1,22 @@
+zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium
Target should be bookworm.
diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch
--- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-03-25 08:30:56.000000000 +0000
@@ -0,0 +1,1223 @@
This patch confuses me. It seems to contain a whole series of nested
patches? How do they get applied to the source package?
diff -Nru zookeeper-3.8.0/debian/patches/series zookeeper-3.8.0/debian/patches/series
--- zookeeper-3.8.0/debian/patches/series 2023-10-29 07:57:11.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/series 2024-03-25 08:30:56.000000000 +0000
@@ -1,19 +1,10 @@
-#01-add-jtoaster-to-zooinspector.patch
-#02-patch-build-system.patch
03-disable-cygwin-detection.patch
05-ZOOKEEPER-770.patch
06-ftbfs-gcc-4.7.patch
07-remove-non-reproducible-manifest-entries.patch
-#08-reproducible-javadoc.patch
10-cppunit-pkg-config.patch
11-disable-minikdc-tests.patch
12-add-yetus-annotations.patch
-#13-disable-netty-connection-factory.patch
-#14-ftbfs-with-gcc-8.patch
-#15-javadoc-doclet.patch
-#16-ZOOKEEPER-1392.patch
-#17-gcc9-ftbfs-925869.patch
-#18-java17-compatibility.patch
19-add_missing-plugins-versions.patch
20-no-Timeout-in-tests.patch
21-use-ValueSource-with-ints.patch
@@ -33,3 +24,4 @@
35-flaky-test.patch
36-JUnitPlatform-deprecation.patch
CVE-2023-44981.patch
+0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch
Presumably these dropped patches get integrated into the nested set in
0027? Or are they actually dropped?
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Debian Bug Tracking System
2024-06-15 23:00:01 UTC
Permalink
Post by Jonathan Wiltshire
tag -1 moreinfo
Bug #1068888 [release.debian.org] bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Added tag(s) moreinfo.
--
1068888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068888
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Bastien Roucariès
2024-06-16 11:20:01 UTC
Permalink
control: tag -1 - moreinfo
Le samedi 15 juin 2024, 22:49:24 UTC Jonathan Wiltshire a écrit :
Hi,

Thanks for the review
Post by Jonathan Wiltshire
Control: tag -1 moreinfo
Hi,
diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog
--- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.000000000 +0000
+++ zookeeper-3.8.0/debian/changelog 2024-03-25 08:30:56.000000000 +0000
@@ -1,3 +1,22 @@
+zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium
Target should be bookworm.*
Done
Post by Jonathan Wiltshire
diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch
--- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-03-25 08:30:56.000000000 +0000
@@ -0,0 +1,1223 @@
This patch confuses me. It seems to contain a whole series of nested
patches? How do they get applied to the source package?
???

I do not understand, see patch 0027 joined it is a simple patch...
Post by Jonathan Wiltshire
diff -Nru zookeeper-3.8.0/debian/patches/series zookeeper-3.8.0/debian/patches/series
--- zookeeper-3.8.0/debian/patches/series 2023-10-29 07:57:11.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/series 2024-03-25 08:30:56.000000000 +0000
@@ -1,19 +1,10 @@
-#01-add-jtoaster-to-zooinspector.patch
-#02-patch-build-system.patch
03-disable-cygwin-detection.patch
05-ZOOKEEPER-770.patch
06-ftbfs-gcc-4.7.patch
07-remove-non-reproducible-manifest-entries.patch
-#08-reproducible-javadoc.patch
10-cppunit-pkg-config.patch
11-disable-minikdc-tests.patch
12-add-yetus-annotations.patch
-#13-disable-netty-connection-factory.patch
-#14-ftbfs-with-gcc-8.patch
-#15-javadoc-doclet.patch
-#16-ZOOKEEPER-1392.patch
-#17-gcc9-ftbfs-925869.patch
-#18-java17-compatibility.patch
19-add_missing-plugins-versions.patch
20-no-Timeout-in-tests.patch
21-use-ValueSource-with-ints.patch
@@ -33,3 +24,4 @@
35-flaky-test.patch
36-JUnitPlatform-deprecation.patch
CVE-2023-44981.patch
+0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch
Presumably these dropped patches get integrated into the nested set in
0027? Or are they actually dropped?
they are droped because disabled but I have re-added to series as disabled patch, thanks it is clearer now

Bastien
Adam D. Barratt
2024-06-16 12:00:01 UTC
Permalink
Post by Bastien Roucariès
control: tag -1 - moreinfo
[...]
Post by Bastien Roucariès
Post by Jonathan Wiltshire
zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-
4799-Refactor-ACL-check-in-.patch      1970-01-01
00:00:00.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-
4799-Refactor-ACL-check-in-.patch      2024-03-25
08:30:56.000000000 +0000
@@ -0,0 +1,1223 @@
This patch confuses me. It seems to contain a whole series of nested
patches? How do they get applied to the source package?
???
I do not understand, see patch 0027 joined it is a simple patch...
Is the source of the confusion here potentially that the patch adds new
files, as well as changing existing ones?

Regards,

Adam
Salvatore Bonaccorso
2024-06-22 19:00:01 UTC
Permalink
Hi Bastien,
Post by Adam D. Barratt
Post by Bastien Roucariès
control: tag -1 - moreinfo
[...]
Post by Bastien Roucariès
Post by Jonathan Wiltshire
zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-
4799-Refactor-ACL-check-in-.patch      1970-01-01
00:00:00.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-
4799-Refactor-ACL-check-in-.patch      2024-03-25
08:30:56.000000000 +0000
@@ -0,0 +1,1223 @@
This patch confuses me. It seems to contain a whole series of nested
patches? How do they get applied to the source package?
???
I do not understand, see patch 0027 joined it is a simple patch...
Is the source of the confusion here potentially that the patch adds new
files, as well as changing existing ones?
Any comments here? (I guess likely it will be now to late for 12.6,
but maybe we can make it for 12.7?)

Regards,
Salvatore
Jonathan Wiltshire
2024-12-06 15:00:01 UTC
Permalink
Control: tag -1 confirmed
Post by Salvatore Bonaccorso
Hi Bastien,
Post by Adam D. Barratt
Post by Bastien Roucariès
control: tag -1 - moreinfo
[...]
Post by Bastien Roucariès
Post by Jonathan Wiltshire
zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-
4799-Refactor-ACL-check-in-.patch      1970-01-01
00:00:00.000000000 +0000
+++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-
4799-Refactor-ACL-check-in-.patch      2024-03-25
08:30:56.000000000 +0000
@@ -0,0 +1,1223 @@
This patch confuses me. It seems to contain a whole series of nested
patches? How do they get applied to the source package?
???
I do not understand, see patch 0027 joined it is a simple patch...
Is the source of the confusion here potentially that the patch adds new
files, as well as changing existing ones?
Any comments here? (I guess likely it will be now to late for 12.6,
but maybe we can make it for 12.7?)
Yes, it's the diff-in-diff which confused me and then I lost track of the
whole thing. Sorry.

Please go ahead.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Debian Bug Tracking System
2024-06-16 11:20:01 UTC
Permalink
tag -1 - moreinfo
Bug #1068888 [release.debian.org] bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Removed tag(s) moreinfo.
--
1068888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068888
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2024-12-06 15:00:01 UTC
Permalink
tag -1 confirmed
Bug #1068888 [release.debian.org] bookworm-pu: package zookeeper/3.8.0-11+deb12u2
Added tag(s) confirmed.
--
1068888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068888
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2024-12-29 17:30:02 UTC
Permalink
package release.debian.org
tags 1068888 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: zookeeper
Version: 3.8.0-11+deb12u2

Explanation: fix information disclosure in persistent watchers handling [CVE-2024-23944]
Debian Bug Tracking System
2025-01-11 11:10:01 UTC
Permalink
Your message dated Sat, 11 Jan 2025 11:03:09 +0000
with message-id <E1tWZGn-009jcl-***@coccia.debian.org>
and subject line Close 1068888
has caused the Debian Bug report #1068888,
regarding bookworm-pu: package zookeeper/3.8.0-11+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1068888: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068888
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...