Debian Security Advisory

DLA-986-1 zookeeper -- LTS security update

Date Reported:
15 Jun 2017
Affected Packages:
zookeeper
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 863811.
In Mitre's CVE dictionary: CVE-2017-5637.
More information:

It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption.

This update disables those two commands by default. The new configuration option 4lw.commands.whitelist can be used to whitelist commands selectively (and the full set of commands can be restored with '*')

For Debian 7 Wheezy, these problems have been fixed in version 3.4.5+dfsg-2+deb7u1.

We recommend that you upgrade your zookeeper packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS