CVE-2024-23944 : ignored for LTS ELTS ?

To: extended-lts-team@freexian.com, debian-lts@lists.debian.org, pochu@debian.org, extended-lts-team@freexian.com, debian-lts@lists.debian.org, pochu@debian.org, extended-lts-team@freexian.com, debian-lts@lists.debian.org, pochu@debian.org
Subject: CVE-2024-23944 : ignored for LTS ELTS ?
From: Bastien Roucariès <rouca@debian.org>
Date: Sun, 22 Dec 2024 11:10:34 +0000
Message-id: <[🔎] 3064018.CIpBngTsSR@portable-bastien>

Hi,

I believe CVE-2024-23944  should be marked ignored for older release:
- Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. This is needed for exploit
- according to upstream  classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not
known in advance is not possible. Nevertheless classical watch leaks some information.
- this is only a information leak and limited so for me minor
- it will be hard to fix (no upstream support EOL upstream)

So ignored for me 

bastien

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: CVE-2024-23944 : ignored for LTS ELTS ?
  - From: Roberto C. Sánchez <roberto@freexian.com>

Prev by Date: Re: ceph 14.2.22 for bullseye
Next by Date: Re: Fixing src:ucf environmnent variable insecurity in [old]stable
Previous by thread: Re: PHP ReDoS question
Next by thread: Re: CVE-2024-23944 : ignored for LTS ELTS ?
Index(es):
- Date
- Thread