Hi, I believe CVE-2024-23944 should be marked ignored for older release: - Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, which only exists in 3.6+. This is needed for exploit - according to upstream classical watches are used (<< 3.6), it seems that to trigger for nodes whose names are not known in advance is not possible. Nevertheless classical watch leaks some information. - this is only a information leak and limited so for me minor - it will be hard to fix (no upstream support EOL upstream)
So ignored for me bastien
signature.asc
Description: This is a digitally signed message part.
