Debian Bug report logs -
#929283
zookeeper: CVE-2019-0201: information disclosure vulnerability
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Mon, 20 May 2019 20:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 20 May 2019 20:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zookeeper
Version: 3.4.13-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://issues.apache.org/jira/browse/ZOOKEEPER-1392
Control: found -1 3.4.9-3+deb9u1
Control: found -1 3.4.9-1
Hi,
The following vulnerability was published for zookeeper.
CVE-2019-0201[0]:
Information disclosure vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-0201
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0201
[1] https://issues.apache.org/jira/browse/ZOOKEEPER-1392
[2] https://www.openwall.com/lists/oss-security/2019/05/20/1
Regards,
Salvatore
Marked as found in versions zookeeper/3.4.9-3+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 20 May 2019 20:06:03 GMT) (full text, mbox, link).
Marked as found in versions zookeeper/3.4.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Mon, 20 May 2019 20:06:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Thu, 23 May 2019 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 23 May 2019 06:09:03 GMT) (full text, mbox, link).
Message #14 received at 929283@bugs.debian.org (full text, mbox, reply):
[Adding team@security.debian.org to CC]
Hi,
> zookeeper: CVE-2019-0201: information disclosure vulnerability
Happy to prepare an update for stretch; I plan to do one for jessie
LTS (which, helpfully, has the same version...)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Thu, 23 May 2019 15:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 23 May 2019 15:45:03 GMT) (full text, mbox, link).
Message #19 received at 929283@bugs.debian.org (full text, mbox, reply):
On Thu, May 23, 2019 at 07:04:43AM +0100, Chris Lamb wrote:
> [Adding team@security.debian.org to CC]
>
> Hi,
>
> > zookeeper: CVE-2019-0201: information disclosure vulnerability
>
> Happy to prepare an update for stretch; I plan to do one for jessie
> LTS (which, helpfully, has the same version...)
Sounds good, we should fix that in Stretch. I've just added the reference
to the upstream commit in the 3.4 branch to the Security Tracker.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Fri, 24 May 2019 08:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 24 May 2019 08:21:04 GMT) (full text, mbox, link).
Message #24 received at 929283@bugs.debian.org (full text, mbox, reply):
tags 929283 + patch
thanks
Hi Moritz,
> > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> >
> > Happy to prepare an update for stretch; I plan to do one for jessie
> > LTS (which, helpfully, has the same version...)
>
> Sounds good, we should fix that in Stretch. I've just added the reference
> to the upstream commit in the 3.4 branch to the Security Tracker.
Thanks. Here is my diff:
diff --git a/debian/changelog b/debian/changelog
index ea8c13e..6e92313 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
+
+ * CVE-2019-0201: Prevent an information disclosure vulnerability where users
+ who were not authorised to read data were able to view the access control
+ list. (Closes: #929283)
+
+ -- Chris Lamb <lamby@debian.org> Fri, 24 May 2019 08:57:53 +0100
+
zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2019-11579.patch b/debian/patches/CVE-2019-11579.patch
new file mode 100644
index 0000000..e4c314c
--- /dev/null
+++ b/debian/patches/CVE-2019-11579.patch
@@ -0,0 +1,57 @@
+--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
++++ zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
+@@ -20,6 +20,7 @@ package org.apache.zookeeper.server;
+
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
++import java.util.ArrayList;
+ import java.util.List;
+
+ import org.apache.jute.Record;
+@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept
+ import org.apache.zookeeper.KeeperException.SessionMovedException;
+ import org.apache.zookeeper.ZooDefs.OpCode;
+ import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
+ import org.apache.zookeeper.data.Stat;
+ import org.apache.zookeeper.proto.CreateResponse;
+ import org.apache.zookeeper.proto.ExistsRequest;
+@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple
+ GetACLRequest getACLRequest = new GetACLRequest();
+ ByteBufferInputStream.byteBuffer2Record(request.request,
+ getACLRequest);
++ DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath());
++ if (n == null) {
++ throw new KeeperException.NoNodeException();
++ }
++ PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++ ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN,
++ request.authInfo);
++
+ Stat stat = new Stat();
+- List<ACL> acl =
+- zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
+- rsp = new GetACLResponse(acl, stat);
++ List<ACL> acl =
++ zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
++ try {
++ PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++ ZooDefs.Perms.ADMIN,
++ request.authInfo);
++ rsp = new GetACLResponse(acl, stat);
++ } catch (KeeperException.NoAuthException e) {
++ List<ACL> acl1 = new ArrayList<ACL>(acl.size());
++ for (ACL a : acl) {
++ if ("digest".equals(a.getId().getScheme())) {
++ Id id = a.getId();
++ Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x"));
++ acl1.add(new ACL(a.getPerms(), id1));
++ } else {
++ acl1.add(a);
++ }
++ }
++ rsp = new GetACLResponse(acl1, stat);
++ }
+ break;
+ }
+ case OpCode.getChildren: {
diff --git a/debian/patches/series b/debian/patches/series
index 9dd03d0..c0b9747 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
09-spell-check.patch
10-CVE-2017-5637.patch
CVE-2018-8012.patch
+CVE-2019-11579.patch
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Added tag(s) patch.
Request was from "Chris Lamb" <lamby@debian.org>
to control@bugs.debian.org
.
(Fri, 24 May 2019 08:21:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Sun, 26 May 2019 19:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 26 May 2019 19:03:08 GMT) (full text, mbox, link).
Message #31 received at 929283@bugs.debian.org (full text, mbox, reply):
On Fri, May 24, 2019 at 09:19:00AM +0100, Chris Lamb wrote:
> tags 929283 + patch
> thanks
>
> Hi Moritz,
>
> > > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> > >
> > > Happy to prepare an update for stretch; I plan to do one for jessie
> > > LTS (which, helpfully, has the same version...)
> >
> > Sounds good, we should fix that in Stretch. I've just added the reference
> > to the upstream commit in the 3.4 branch to the Security Tracker.
>
> Thanks. Here is my diff:
Looks fine, but can you please also include the test case upstream added?
Given that it's quite complex to reconstruct the specific affected ZK setup,
we should at least ship/run the test case.
Cheers,
Moritz
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Mon, 27 May 2019 19:30:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Tue, 28 May 2019 05:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 28 May 2019 05:09:03 GMT) (full text, mbox, link).
Message #38 received at 929283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> On Fri, May 24, 2019 at 09:19:00AM +0100, Chris Lamb wrote:
> > tags 929283 + patch
> > thanks
> >
> > Hi Moritz,
> >
> > > > > zookeeper: CVE-2019-0201: information disclosure vulnerability
> > > >
> > > > Happy to prepare an update for stretch; I plan to do one for jessie
> > > > LTS (which, helpfully, has the same version...)
> > >
> > > Sounds good, we should fix that in Stretch. I've just added the reference
> > > to the upstream commit in the 3.4 branch to the Security Tracker.
> >
> > Thanks. Here is my diff:
>
> Looks fine, but can you please also include the test case upstream added?
> Given that it's quite complex to reconstruct the specific affected ZK setup,
> we should at least ship/run the test case.
I will prepare an upload for 3.4.13 in testing/unstable soon - should be
in the next day or so.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Thu, 30 May 2019 13:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 30 May 2019 13:51:03 GMT) (full text, mbox, link).
Message #43 received at 929283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > Looks fine, but can you please also include the test case upstream added?
> > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > we should at least ship/run the test case.
>
> I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> in the next day or so.
As an update...
Regarding the upload of a patched 3.4.13 for buster and unstable,
cherry-picking and adapting the upstream patch from the 3.4.14 branch is
straight-forward and complete [1]. The package is building, etc.
The delay is that the tests for the Debian package aren't in a state
where they are easy to run. This predates this issue, going back to the
changes made when netty 3.9 was removed from Debian. Since the changes
to the packaging and patches to re-enable tests would be extensive (I am
still working through them), I'm not certain that they will be suitable
for an upload during the freeze. At a minimum, I intend to get them
working locally and push a branch so that others can verify, as well as
run the updated ZK through some local smoke-testing that validates the
ACL change.
Cheers,
tony
[1] https://salsa.debian.org/java-team/zookeeper/commit/41265b610149bd708232e40faf945f3c79b60b85
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Fri, 31 May 2019 07:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 31 May 2019 07:03:03 GMT) (full text, mbox, link).
Message #48 received at 929283@bugs.debian.org (full text, mbox, reply):
Hi Tony,
On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > Looks fine, but can you please also include the test case upstream added?
> > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > we should at least ship/run the test case.
> >
> > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > in the next day or so.
>
> As an update...
>
> Regarding the upload of a patched 3.4.13 for buster and unstable,
> cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> straight-forward and complete [1]. The package is building, etc.
>
> The delay is that the tests for the Debian package aren't in a state
> where they are easy to run. This predates this issue, going back to the
> changes made when netty 3.9 was removed from Debian. Since the changes
> to the packaging and patches to re-enable tests would be extensive (I am
> still working through them), I'm not certain that they will be suitable
> for an upload during the freeze. At a minimum, I intend to get them
> working locally and push a branch so that others can verify, as well as
> run the updated ZK through some local smoke-testing that validates the
> ACL change.
Thanks for giving an update on the state!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Tue, 04 Jun 2019 21:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 04 Jun 2019 21:09:06 GMT) (full text, mbox, link).
Message #53 received at 929283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
> > Thanks. Here is my diff:
>
> Looks fine, but can you please also include the test case upstream added?
> Given that it's quite complex to reconstruct the specific affected ZK setup,
> we should at least ship/run the test case.
Sure. Here's my updated patch:
diffstat for zookeeper-3.4.9 zookeeper-3.4.9
changelog | 8 +
patches/CVE-2019-11579.patch | 290 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 299 insertions(+)
diff -Nru zookeeper-3.4.9/debian/changelog zookeeper-3.4.9/debian/changelog
--- zookeeper-3.4.9/debian/changelog 2018-05-23 21:34:43.000000000 +0100
+++ zookeeper-3.4.9/debian/changelog 2019-05-24 08:57:53.000000000 +0100
@@ -1,3 +1,11 @@
+zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
+
+ * CVE-2019-0201: Prevent an information disclosure vulnerability where users
+ who were not authorised to read data were able to view the access control
+ list. (Closes: #929283)
+
+ -- Chris Lamb <lamby@debian.org> Fri, 24 May 2019 08:57:53 +0100
+
zookeeper (3.4.9-3+deb9u1) stretch-security; urgency=high
* Team upload.
diff -Nru zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch
--- zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch 1970-01-01 01:00:00.000000000 +0100
+++ zookeeper-3.4.9/debian/patches/CVE-2019-11579.patch 2019-05-24 08:57:53.000000000 +0100
@@ -0,0 +1,290 @@
+--- zookeeper-3.4.9.orig/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
++++ zookeeper-3.4.9/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java
+@@ -20,6 +20,7 @@ package org.apache.zookeeper.server;
+
+ import java.io.IOException;
+ import java.nio.ByteBuffer;
++import java.util.ArrayList;
+ import java.util.List;
+
+ import org.apache.jute.Record;
+@@ -32,6 +33,7 @@ import org.apache.zookeeper.KeeperExcept
+ import org.apache.zookeeper.KeeperException.SessionMovedException;
+ import org.apache.zookeeper.ZooDefs.OpCode;
+ import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
+ import org.apache.zookeeper.data.Stat;
+ import org.apache.zookeeper.proto.CreateResponse;
+ import org.apache.zookeeper.proto.ExistsRequest;
+@@ -308,10 +310,35 @@ public class FinalRequestProcessor imple
+ GetACLRequest getACLRequest = new GetACLRequest();
+ ByteBufferInputStream.byteBuffer2Record(request.request,
+ getACLRequest);
++ DataNode n = zks.getZKDatabase().getNode(getACLRequest.getPath());
++ if (n == null) {
++ throw new KeeperException.NoNodeException();
++ }
++ PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++ ZooDefs.Perms.READ | ZooDefs.Perms.ADMIN,
++ request.authInfo);
++
+ Stat stat = new Stat();
+- List<ACL> acl =
+- zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
+- rsp = new GetACLResponse(acl, stat);
++ List<ACL> acl =
++ zks.getZKDatabase().getACL(getACLRequest.getPath(), stat);
++ try {
++ PrepRequestProcessor.checkACL(zks, zks.getZKDatabase().aclForNode(n),
++ ZooDefs.Perms.ADMIN,
++ request.authInfo);
++ rsp = new GetACLResponse(acl, stat);
++ } catch (KeeperException.NoAuthException e) {
++ List<ACL> acl1 = new ArrayList<ACL>(acl.size());
++ for (ACL a : acl) {
++ if ("digest".equals(a.getId().getScheme())) {
++ Id id = a.getId();
++ Id id1 = new Id(id.getScheme(), id.getId().replaceAll(":.*", ":x"));
++ acl1.add(new ACL(a.getPerms(), id1));
++ } else {
++ acl1.add(a);
++ }
++ }
++ rsp = new GetACLResponse(acl1, stat);
++ }
+ break;
+ }
+ case OpCode.getChildren: {
+--- /dev/null
++++ zookeeper-3.4.9/src/java/test/org/apache/zookeeper/test/FinalRequestProcessorTest.java
+@@ -0,0 +1,230 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package org.apache.zookeeper.server;
++
++import org.apache.jute.BinaryOutputArchive;
++import org.apache.jute.Record;
++import org.apache.zookeeper.KeeperException;
++import org.apache.zookeeper.ZooDefs;
++import org.apache.zookeeper.data.ACL;
++import org.apache.zookeeper.data.Id;
++import org.apache.zookeeper.data.Stat;
++import org.apache.zookeeper.proto.GetACLRequest;
++import org.apache.zookeeper.proto.GetACLResponse;
++import org.apache.zookeeper.proto.ReplyHeader;
++import org.junit.Before;
++import org.junit.Test;
++import org.mockito.invocation.InvocationOnMock;
++import org.mockito.stubbing.Answer;
++
++import java.io.ByteArrayOutputStream;
++import java.io.IOException;
++import java.nio.ByteBuffer;
++import java.util.ArrayList;
++import java.util.Arrays;
++import java.util.List;
++
++import static org.hamcrest.Matchers.equalTo;
++import static org.junit.Assert.assertThat;
++import static org.junit.Assert.assertTrue;
++import static org.mockito.Matchers.any;
++import static org.mockito.Matchers.anyString;
++import static org.mockito.Matchers.eq;
++import static org.mockito.Mockito.doAnswer;
++import static org.mockito.Mockito.mock;
++import static org.mockito.Mockito.when;
++
++public class FinalRequestProcessorTest {
++ private List<ACL> testACLs = new ArrayList<ACL>();
++ private final Record[] responseRecord = new Record[1];
++ private final ReplyHeader[] replyHeaders = new ReplyHeader[1];
++
++ private ServerCnxn cnxn;
++ private ByteBuffer bb;
++ private FinalRequestProcessor processor;
++
++ @Before
++ public void setUp() throws KeeperException.NoNodeException, IOException {
++ testACLs.clear();
++ testACLs.addAll(Arrays.asList(
++ new ACL(ZooDefs.Perms.ALL, new Id("digest", "user:secrethash")),
++ new ACL(ZooDefs.Perms.ADMIN, new Id("digest", "adminuser:adminsecret")),
++ new ACL(ZooDefs.Perms.READ, new Id("world", "anyone"))
++ ));
++
++ ZooKeeperServer zks = new ZooKeeperServer();
++ ZKDatabase db = mock(ZKDatabase.class);
++ String testPath = "/testPath";
++ when(db.getNode(eq(testPath))).thenReturn(new DataNode());
++ when(db.getACL(eq(testPath), any(Stat.class))).thenReturn(testACLs);
++ when(db.aclForNode(any(DataNode.class))).thenReturn(testACLs);
++ zks.setZKDatabase(db);
++ processor = new FinalRequestProcessor(zks);
++
++ cnxn = mock(ServerCnxn.class);
++ doAnswer(new Answer() {
++ @Override
++ public Object answer(InvocationOnMock invocationOnMock) {
++ replyHeaders[0] = (ReplyHeader) invocationOnMock.getArguments()[0];
++ responseRecord[0] = (Record) invocationOnMock.getArguments()[1];
++ return null;
++ }
++ }).when(cnxn).sendResponse(any(ReplyHeader.class), any(Record.class), anyString());
++
++ GetACLRequest getACLRequest = new GetACLRequest();
++ getACLRequest.setPath(testPath);
++ ByteArrayOutputStream baos = new ByteArrayOutputStream();
++ BinaryOutputArchive boa = BinaryOutputArchive.getArchive(baos);
++ getACLRequest.serialize(boa, "request");
++ baos.close();
++ bb = ByteBuffer.wrap(baos.toByteArray());
++ }
++
++ @Test
++ public void testACLDigestHashHiding_NoAuth_WorldCanRead() {
++ // Arrange
++
++ // Act
++ Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, new ArrayList<Id>());
++ processor.processRequest(r);
++
++ // Assert
++ assertMasked(true);
++ }
++
++ @Test
++ public void testACLDigestHashHiding_NoAuth_NoWorld() {
++ // Arrange
++ testACLs.remove(2);
++
++ // Act
++ Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, new ArrayList<Id>());
++ processor.processRequest(r);
++
++ // Assert
++ assertThat(KeeperException.Code.get(replyHeaders[0].getErr()), equalTo(KeeperException.Code.NOAUTH));
++ }
++
++ @Test
++ public void testACLDigestHashHiding_UserCanRead() {
++ // Arrange
++ List<Id> authInfo = new ArrayList<Id>();
++ authInfo.add(new Id("digest", "otheruser:somesecrethash"));
++
++ // Act
++ Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++ processor.processRequest(r);
++
++ // Assert
++ assertMasked(true);
++ }
++
++ @Test
++ public void testACLDigestHashHiding_UserCanAll() {
++ // Arrange
++ List<Id> authInfo = new ArrayList<Id>();
++ authInfo.add(new Id("digest", "user:secrethash"));
++
++ // Act
++ Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++ processor.processRequest(r);
++
++ // Assert
++ assertMasked(false);
++ }
++
++ @Test
++ public void testACLDigestHashHiding_AdminUser() {
++ // Arrange
++ List<Id> authInfo = new ArrayList<Id>();
++ authInfo.add(new Id("digest", "adminuser:adminsecret"));
++
++ // Act
++ Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++ processor.processRequest(r);
++
++ // Assert
++ assertMasked(false);
++ }
++
++ @Test
++ public void testACLDigestHashHiding_OnlyAdmin() {
++ // Arrange
++ testACLs.clear();
++ testACLs.addAll(Arrays.asList(
++ new ACL(ZooDefs.Perms.READ, new Id("digest", "user:secrethash")),
++ new ACL(ZooDefs.Perms.ADMIN, new Id("digest", "adminuser:adminsecret"))
++ ));
++ List<Id> authInfo = new ArrayList<Id>();
++ authInfo.add(new Id("digest", "adminuser:adminsecret"));
++
++ // Act
++ Request r = new Request(cnxn, 0, 0, ZooDefs.OpCode.getACL, bb, authInfo);
++ processor.processRequest(r);
++
++ // Assert
++ assertTrue("Not a GetACL response. Auth failed?", responseRecord[0] instanceof GetACLResponse);
++ GetACLResponse rsp = (GetACLResponse)responseRecord[0];
++ assertThat("Number of ACLs in the response are different", rsp.getAcl().size(), equalTo(2));
++
++ // Verify ACLs in the response
++ assertThat("Password hash mismatch in the response", rsp.getAcl().get(0).getId().getId(), equalTo("user:secrethash"));
++ assertThat("Password hash mismatch in the response", rsp.getAcl().get(1).getId().getId(), equalTo("adminuser:adminsecret"));
++ }
++
++ private void assertMasked(boolean masked) {
++ assertTrue("Not a GetACL response. Auth failed?", responseRecord[0] instanceof GetACLResponse);
++ GetACLResponse rsp = (GetACLResponse)responseRecord[0];
++ assertThat("Number of ACLs in the response are different", rsp.getAcl().size(), equalTo(3));
++
++ // Verify ACLs in the response
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(0).getPerms(), equalTo(ZooDefs.Perms.ALL));
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(0).getId().getScheme(), equalTo("digest"));
++ if (masked) {
++ assertThat("Password hash is not masked in the response", rsp.getAcl().get(0).getId().getId(), equalTo("user:x"));
++ } else {
++ assertThat("Password hash mismatch in the response", rsp.getAcl().get(0).getId().getId(), equalTo("user:secrethash"));
++ }
++
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(1).getPerms(), equalTo(ZooDefs.Perms.ADMIN));
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(1).getId().getScheme(), equalTo("digest"));
++ if (masked) {
++ assertThat("Password hash is not masked in the response", rsp.getAcl().get(1).getId().getId(), equalTo("adminuser:x"));
++ } else {
++ assertThat("Password hash mismatch in the response", rsp.getAcl().get(1).getId().getId(), equalTo("adminuser:adminsecret"));
++ }
++
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(2).getPerms(), equalTo(ZooDefs.Perms.READ));
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(2).getId().getScheme(), equalTo("world"));
++ assertThat("Invalid ACL list in the response", rsp.getAcl().get(2).getId().getId(), equalTo("anyone"));
++
++ // Verify that FinalRequestProcessor hasn't changed the original ACL objects
++ assertThat("Original ACL list has been modified", testACLs.get(0).getPerms(), equalTo(ZooDefs.Perms.ALL));
++ assertThat("Original ACL list has been modified", testACLs.get(0).getId().getScheme(), equalTo("digest"));
++ assertThat("Original ACL list has been modified", testACLs.get(0).getId().getId(), equalTo("user:secrethash"));
++
++ assertThat("Original ACL list has been modified", testACLs.get(1).getPerms(), equalTo(ZooDefs.Perms.ADMIN));
++ assertThat("Original ACL list has been modified", testACLs.get(1).getId().getScheme(), equalTo("digest"));
++ assertThat("Original ACL list has been modified", testACLs.get(1).getId().getId(), equalTo("adminuser:adminsecret"));
++
++ assertThat("Original ACL list has been modified", testACLs.get(2).getPerms(), equalTo(ZooDefs.Perms.READ));
++ assertThat("Original ACL list has been modified", testACLs.get(2).getId().getScheme(), equalTo("world"));
++ assertThat("Original ACL list has been modified", testACLs.get(2).getId().getId(), equalTo("anyone"));
++ }
++}
diff -Nru zookeeper-3.4.9/debian/patches/series zookeeper-3.4.9/debian/patches/series
--- zookeeper-3.4.9/debian/patches/series 2018-05-23 21:34:43.000000000 +0100
+++ zookeeper-3.4.9/debian/patches/series 2019-05-24 08:57:53.000000000 +0100
@@ -9,3 +9,4 @@
09-spell-check.patch
10-CVE-2017-5637.patch
CVE-2018-8012.patch
+CVE-2019-11579.patch
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
[CVE-2019-11579.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Wed, 05 Jun 2019 05:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 05 Jun 2019 05:03:03 GMT) (full text, mbox, link).
Message #58 received at 929283@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, May 31, 2019 at 09:01:12AM +0200, Salvatore Bonaccorso wrote:
> Hi Tony,
>
> On Thu, May 30, 2019 at 06:47:33AM -0700, tony mancill wrote:
> > On Mon, May 27, 2019 at 10:07:38PM -0700, tony mancill wrote:
> > > On Sun, May 26, 2019 at 08:58:29PM +0200, Moritz Mühlenhoff wrote:
> > > > Looks fine, but can you please also include the test case upstream added?
> > > > Given that it's quite complex to reconstruct the specific affected ZK setup,
> > > > we should at least ship/run the test case.
> > >
> > > I will prepare an upload for 3.4.13 in testing/unstable soon - should be
> > > in the next day or so.
> >
> > As an update...
> >
> > Regarding the upload of a patched 3.4.13 for buster and unstable,
> > cherry-picking and adapting the upstream patch from the 3.4.14 branch is
> > straight-forward and complete [1]. The package is building, etc.
> >
> > The delay is that the tests for the Debian package aren't in a state
> > where they are easy to run. This predates this issue, going back to the
> > changes made when netty 3.9 was removed from Debian. Since the changes
> > to the packaging and patches to re-enable tests would be extensive (I am
> > still working through them), I'm not certain that they will be suitable
> > for an upload during the freeze. At a minimum, I intend to get them
> > working locally and push a branch so that others can verify, as well as
> > run the updated ZK through some local smoke-testing that validates the
> > ACL change.
>
> Thanks for giving an update on the state!
Hi Salvatore -
Apologies again for the delay. The zookeeper package tests are in rough
shape and I wasn't able to get all tests passing even after installing
libjetty-3.9-java in a local chroot and some hacking. The
work-in-progress 3.4.13-2+test branch is on Salsa [1], but getting the
tests into good working order will be a goal for buster.
However, I did verify the following before uploading:
- the test results between 3.4.13-1 and 3.4.13-2 are the same, meaning
no regressions
- the newly added FinalRequestProcessorTest in 3.4.13-2 passes
- I could reproduce the ACL information disclosure on 3.4.13-1
- 3.4.13-2 no longer freely shares ACLs on nodes with ACLs that prevent
unauthorized reading
I have just uploaded to unstable [2] and will request an unblock for
buster.
Thank you,
tony
[1] https://salsa.debian.org/java-team/zookeeper/tree/3.4.13-2+test
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions zookeeper/3.4.13-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 05 Jun 2019 09:15:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 05 Jun 2019 09:15:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 05 Jun 2019 09:15:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#929283.
(Wed, 05 Jun 2019 09:15:08 GMT) (full text, mbox, link).
Message #67 received at 929283-submitter@bugs.debian.org (full text, mbox, reply):
close 929283 3.4.13-2
thanks
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#929283
; Package src:zookeeper
.
(Wed, 05 Jun 2019 14:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 05 Jun 2019 14:57:02 GMT) (full text, mbox, link).
Message #72 received at 929283@bugs.debian.org (full text, mbox, reply):
[adding 929283@bugs.debian.org to CC]
Hi Moritz,
> > Sure. Here's my updated patch:
Uploaded zookeeper_3.4.9-3+deb9u2_amd64.changes to security-master.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Tue, 18 Jun 2019 21:54:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 18 Jun 2019 21:54:07 GMT) (full text, mbox, link).
Message #77 received at 929283-close@bugs.debian.org (full text, mbox, reply):
Source: zookeeper
Source-Version: 3.4.9-3+deb9u2
We believe that the bug you reported is fixed in the latest version of
zookeeper, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated zookeeper package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 24 May 2019 08:57:53 +0100
Source: zookeeper
Binary: libzookeeper-java zookeeper zookeeperd libzookeeper-java-doc libzookeeper-mt2 libzookeeper-st2 libzookeeper2 libzookeeper-mt-dev libzookeeper-st-dev zookeeper-bin python-zookeeper
Architecture: source all amd64
Version: 3.4.9-3+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
libzookeeper-java - Core Java libraries for zookeeper
libzookeeper-java-doc - API Documentation for zookeeper
libzookeeper-mt-dev - Development files for multi threaded zookeeper C bindings
libzookeeper-mt2 - Multi threaded C bindings for zookeeper
libzookeeper-st-dev - Development files for single threaded zookeeper C bindings
libzookeeper-st2 - Single threaded C bindings for zookeeper
libzookeeper2 - C bindings for zookeeper - transitional package
python-zookeeper - Python bindings for zookeeper
zookeeper - High-performance coordination service for distributed application
zookeeper-bin - Command line utilities for zookeeper
zookeeperd - Init control scripts for zookeeper
Closes: 929283
Changes:
zookeeper (3.4.9-3+deb9u2) stretch-security; urgency=high
.
* CVE-2019-0201: Prevent an information disclosure vulnerability where users
who were not authorised to read data were able to view the access control
list. (Closes: #929283)
Checksums-Sha1:
fd422563f8da1d774762931103c97e8515da3b3b 3021 zookeeper_3.4.9-3+deb9u2.dsc
a0a6168dcd380c5586c8dcfa144668f7a1a21c6d 1931392 zookeeper_3.4.9.orig.tar.xz
96790de23fd6781d297276ded726d95efa1185ff 87508 zookeeper_3.4.9-3+deb9u2.debian.tar.xz
cc0ae6b679b3c431bbff5768d57757478716943b 370888 libzookeeper-java-doc_3.4.9-3+deb9u2_all.deb
61657b56f6dd11792c90a29a1da3b8b61e177cdc 1360168 libzookeeper-java_3.4.9-3+deb9u2_all.deb
64fe2edb1e7c2eeeb6d90a832c18ad6ad2e603a5 90990 libzookeeper-mt-dev_3.4.9-3+deb9u2_amd64.deb
93b93d0d47773cd23f3853954a9f7a1bc328460c 112700 libzookeeper-mt2-dbgsym_3.4.9-3+deb9u2_amd64.deb
7525db2f8c22dd3db1f2d82f248852edac5d891e 75406 libzookeeper-mt2_3.4.9-3+deb9u2_amd64.deb
0fe1abc3325edfc21d551a6a91c1b16670878ccb 88248 libzookeeper-st-dev_3.4.9-3+deb9u2_amd64.deb
9d78cceb2f4c020a4c43446038cdaff1d678e1a1 105602 libzookeeper-st2-dbgsym_3.4.9-3+deb9u2_amd64.deb
f9fdd7ac14042e29455c4f258cca91c4c2f78edb 72966 libzookeeper-st2_3.4.9-3+deb9u2_amd64.deb
a6b739496bd7fc40c13776f9a90c77e9804f4e58 40982 libzookeeper2_3.4.9-3+deb9u2_amd64.deb
0cd165ffaefa231ca56c78010a9767f0430cae95 32352 python-zookeeper-dbgsym_3.4.9-3+deb9u2_amd64.deb
8893ba2fce4b65393c25781a8b9fc69cdc74b39d 58382 python-zookeeper_3.4.9-3+deb9u2_amd64.deb
cdf4de6ac208d33dee28da1e306eaca2c63c1cb7 413390 zookeeper-bin-dbgsym_3.4.9-3+deb9u2_amd64.deb
c35e5e224a75c7fd8fcd17fd6623d8bfa04c3662 94730 zookeeper-bin_3.4.9-3+deb9u2_amd64.deb
83f323ed9e982feb33809d3f8aac785f446b2ad9 141954 zookeeper_3.4.9-3+deb9u2_all.deb
6d399ec7ed1efe3ebb2a5023f746ac8c497c6b8b 17413 zookeeper_3.4.9-3+deb9u2_amd64.buildinfo
498a76e0bfabc5ca175691716314b94a345d936f 44068 zookeeperd_3.4.9-3+deb9u2_all.deb
Checksums-Sha256:
efbf3e61208c807edba26e62535f76527045fbeb21d18ade5b352db2c35f54ac 3021 zookeeper_3.4.9-3+deb9u2.dsc
1471e69d0b391c87208ec5a6ef5c6dbb1e31820b274b34ebd9a808940f36410b 1931392 zookeeper_3.4.9.orig.tar.xz
eec0dee2d132413af212cf07eec8fe9c57737761026462b645105b44258cfe74 87508 zookeeper_3.4.9-3+deb9u2.debian.tar.xz
91711e8000dbc6066598168e4e32fd0c702666b9a41be45d3cab279d2fe3af57 370888 libzookeeper-java-doc_3.4.9-3+deb9u2_all.deb
8254de5cb5c406f0f75bd9195cbf1ef251f389fc97f3f36aa5bdb85efda992e8 1360168 libzookeeper-java_3.4.9-3+deb9u2_all.deb
417778e736a31c5fbede8bfc60bd4bf91d67a4863455829b328f9d8b4cbc85df 90990 libzookeeper-mt-dev_3.4.9-3+deb9u2_amd64.deb
463b2ac62797051501b3fce7aeb5b300ee4bf987b48941e26d807e25849d4e3d 112700 libzookeeper-mt2-dbgsym_3.4.9-3+deb9u2_amd64.deb
705707822972c9ddb575bd89e3aaf0b7777ecf2241bf72b9e28bbb2acfac8467 75406 libzookeeper-mt2_3.4.9-3+deb9u2_amd64.deb
888cee40140e31d763b1e5b84ac8d971537165a9f9f54b8112954d090c1a4b28 88248 libzookeeper-st-dev_3.4.9-3+deb9u2_amd64.deb
3f033833f6e2ea02e377e66769c0c7b26f9d350b0c0c3ec75d36f1254e9293fd 105602 libzookeeper-st2-dbgsym_3.4.9-3+deb9u2_amd64.deb
cc220abb7197ecad89f1aa111ac2565647d9d0b29cc85da62ec344a79d271994 72966 libzookeeper-st2_3.4.9-3+deb9u2_amd64.deb
f4ba21723801807fd61f6725c2d01a4049e7e6df1338d8c35091444a797464ce 40982 libzookeeper2_3.4.9-3+deb9u2_amd64.deb
c7992e1f460167e26a751a9171776fbecff2866e4ae3c5dcc1bf7dbe51460c21 32352 python-zookeeper-dbgsym_3.4.9-3+deb9u2_amd64.deb
4f6164918249af2dd43310fe43eabcbf3e14aec1d7c0f53e55db4db6f6e325b5 58382 python-zookeeper_3.4.9-3+deb9u2_amd64.deb
2a8d2865f4cffbacdcdf2306abab859ff4762765ffe5e584da31663dbbac07aa 413390 zookeeper-bin-dbgsym_3.4.9-3+deb9u2_amd64.deb
3ed7b14aefc70368820601bd104409c630f3bf2eca35155c029449b568056ea1 94730 zookeeper-bin_3.4.9-3+deb9u2_amd64.deb
dd73ac6f0bac6ebbc092958a2a4f52bf7e3c8c54f6e286365b80232b7e8f62c4 141954 zookeeper_3.4.9-3+deb9u2_all.deb
7f0d550183d3f13912b6ca757996f997c25de59e75f26946eaadc468340968c5 17413 zookeeper_3.4.9-3+deb9u2_amd64.buildinfo
0dae6405cf625dbf8ff754c87bb40d3087fde82faa398e14d8ad20d07936e0ba 44068 zookeeperd_3.4.9-3+deb9u2_all.deb
Files:
d1d5583f09aeabf30fc2a7268104b8b2 3021 java optional zookeeper_3.4.9-3+deb9u2.dsc
d33aa506accaeade4260f1ba26ad3b8e 1931392 java optional zookeeper_3.4.9.orig.tar.xz
ef1b7f910ff68518158146e962f8287e 87508 java optional zookeeper_3.4.9-3+deb9u2.debian.tar.xz
a54ec72675f64d901f2d9a9e4870f7a1 370888 doc optional libzookeeper-java-doc_3.4.9-3+deb9u2_all.deb
e1c0059f814aa8e1f32cdba2251335c1 1360168 java optional libzookeeper-java_3.4.9-3+deb9u2_all.deb
877092808b4841ac6827dee814a0f917 90990 libdevel optional libzookeeper-mt-dev_3.4.9-3+deb9u2_amd64.deb
81fd831b7a77c933dd8bcfe198eda242 112700 debug extra libzookeeper-mt2-dbgsym_3.4.9-3+deb9u2_amd64.deb
49433fdb5fd17ea35b7d00f44c2b6b94 75406 libs optional libzookeeper-mt2_3.4.9-3+deb9u2_amd64.deb
1cd3623e86be4861176551dd00e14fd7 88248 libdevel optional libzookeeper-st-dev_3.4.9-3+deb9u2_amd64.deb
a86e32289b329bc95b6fac0d17f2c54c 105602 debug extra libzookeeper-st2-dbgsym_3.4.9-3+deb9u2_amd64.deb
b64b8c3fb47688ac1dbbee9103b1f842 72966 libs optional libzookeeper-st2_3.4.9-3+deb9u2_amd64.deb
3f0cbd7d4eff0a5bc772d8662de806bd 40982 oldlibs extra libzookeeper2_3.4.9-3+deb9u2_amd64.deb
d4ff32643c92c5c0926fc2181a034197 32352 debug extra python-zookeeper-dbgsym_3.4.9-3+deb9u2_amd64.deb
00b3b18bcdb7d3d79f8f580c199f4e46 58382 python optional python-zookeeper_3.4.9-3+deb9u2_amd64.deb
16b27c21c065a0c9fdeae1bd834897f7 413390 debug extra zookeeper-bin-dbgsym_3.4.9-3+deb9u2_amd64.deb
cf4fd47923dd59c9e03bfe1a29f6a456 94730 misc optional zookeeper-bin_3.4.9-3+deb9u2_amd64.deb
5c4cd01b83082f579ab5edca580064eb 141954 java optional zookeeper_3.4.9-3+deb9u2_all.deb
209a4545070e7e53ba0f14ec6050d57a 17413 java optional zookeeper_3.4.9-3+deb9u2_amd64.buildinfo
d7fef17d15a25d3408a087ba3b0cdc19 44068 java optional zookeeperd_3.4.9-3+deb9u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlz31wgACgkQHpU+J9Qx
Hlgm1Q//V7RxWF0cUhq1cWS44HpIwfG4dc4PM61+6IEz4h5werE6IB8BD/vWIH1K
9bzYW3wBk5xJH1H1YtZ6WajDLEMo004SL8KeiTxVTlWbZeK1W3cFt94anVpQpRIP
R5qF+ZeBpWJzLICDGbGqmGnmO1Tp4N68dsMJZiVyUynYvdArSJMe+wYmyFnHh0q/
+TTZvlPkyVHVxgUpGorl8q36nNF/+iEr8pqsT+KtKYIAIG3rUuexy314m235MAy9
C+o27kt8oxBDCIdkO40U2CxFKT7B1YA8nj4Gi2rQcx50uZjfOnlufInl7+zFkOfU
nb64IqvSFX/+bQY2OEu/lhy4fr5Oqe1jdfDtcggI4z604sgrjoQcuu8u8cfDmiLN
PRg/7ITwIbqg6V6GSMBBBgsXgqYlIXqBAWP53gGVqXRX1eLSNsJ6X+W1TEfD7RfN
jDAr/rkvEbh7ruK6SiNphk/wawNIKBkKibo0l+BxhmBSOxYTv0a2DugLCBDPK+xW
f99gh0T0EmUTb7QU111ElEqps5Vs8ifRmCxj+tdgRah4uGrClVn+zDWMNWTJ5v5Q
ezdHtOnxrXcmU8q3e8GOaa/QlAkk7hgoFW+Nv8lMqfZ0kUXbLzrXaOjmw/C6xCHH
ecFxfP6eE28nlN+zgEzzn3pJY+Ff63jEjJkY5/72oVoPa7kfklU=
=SB8+
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:09:19 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.