[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2024-23944 : ignored for LTS ELTS ?



Hi,

I believe CVE-2024-23944  should be marked ignored for older release:
- Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. This is needed for exploit
- according to upstream  classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not
known in advance is not possible. Nevertheless classical watch leaks some information.
- this is only a information leak and limited so for me minor
- it will be hard to fix (no upstream support EOL upstream)

So ignored for me 

bastien

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: