Re: CVE-2024-23944 : ignored for LTS ELTS ?

To: Bastien Roucariès <rouca@debian.org>
Cc: extended-lts-team@freexian.com, debian-lts@lists.debian.org
Subject: Re: CVE-2024-23944 : ignored for LTS ELTS ?
From: Roberto C. Sánchez <roberto@freexian.com>
Date: Tue, 31 Dec 2024 15:41:31 -0500
Message-id: <[🔎] Z3RW--k3A8t90gZ2@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@freexian.com>, Bastien Roucariès <rouca@debian.org>, extended-lts-team@freexian.com, debian-lts@lists.debian.org
In-reply-to: <[🔎] 3064018.CIpBngTsSR@portable-bastien>
References: <[🔎] 3064018.CIpBngTsSR@portable-bastien>

Hi Bastien,

On Sun, Dec 22, 2024 at 11:10:34AM +0000, Bastien Roucariès wrote:
> Hi,
> 
> I believe CVE-2024-23944  should be marked ignored for older release:
> - Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. This is needed for exploit
> - according to upstream  classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not
> known in advance is not possible. Nevertheless classical watch leaks some information.
> - this is only a information leak and limited so for me minor
> - it will be hard to fix (no upstream support EOL upstream)
> 
> So ignored for me 
> 

After reviewing your summary and the related informationi in the
security tracker, I agree that CVE-2024-23944 should be marked <ignored>
for LTS and ELTS releases.

Regards,

-Roberto

-- 
Roberto C. Sánchez ◈ Freexian SARL
https://www.freexian.com

Reply to:

References:
- CVE-2024-23944 : ignored for LTS ELTS ?
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: Re: Revisiting some old DLAs
Previous by thread: CVE-2024-23944 : ignored for LTS ELTS ?
Next by thread: Debian LTS & ELTS -- December 2024
Index(es):
- Date
- Thread