Debian Security Advisory
DLA-986-1 zookeeper -- LTS security update
- Date Reported:
- 15 Jun 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 863811.
In Mitre's CVE dictionary: CVE-2017-5637.
- More information:
It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption.
This update disables those two commands by default. The new configuration option
4lw.commands.whitelistcan be used to whitelist commands selectively (and the full set of commands can be restored with '*')
For Debian 7
Wheezy, these problems have been fixed in version 3.4.5+dfsg-2+deb7u1.
We recommend that you upgrade your zookeeper packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS