Bug#990345: zookeeper: various security issues

Christoph Anton Mitterer calestyo at scientia.net
Fri Jul 16 05:43:53 BST 2021


On Thu, 2021-07-15 at 21:18 -0700, tony mancill wrote:
> The Debian package disables building against Netty via this patch: 
> https://salsa.debian.org/java-team/zookeeper/-/blob/master/debian/patches/13-disable-netty-connection-factory.patch

Ah I see.


> This is certainly a valid point.  There is not time to change the
> situation for bullseye aside from filing an RM bug to prevent the
> package from shipping with the release.  That would impact transitive
> dependencies of which I believe activemq is the most significant.

Would it be possible to provide a more current version via backports...
I mean if it's not possible to get it in via some st
able-update or so?


> As an aside, I took a quick look at the latest upstream activemq
> source
> release (https://activemq.apache.org/activemq-5016002-release) and it
> specifies zookeeper 3.4.14 in its pom.xml (which makes me feel a
> little
> better).

Isn’t that just telling the minimum version that works with it - not
what they'd consider a safe use from a security PoV?


> We can work on addressing the situation in bookworm.  (One idea I
> would
> propose is paring down the package to build just libzookeeper-java,
> because I imagine that many people use the Debian package to run
> their
> ZooKeeper ensembles, although maybe that's not true.) 

Well I for example use the daemon, too, but the software from which I
use it would anyway already require some newer version and doesn't work
with 3.4 anymore.
So for me that wouldn't matter much.


Thanks,
Chris.



More information about the pkg-java-maintainers mailing list