Hi Bastien, On Sun, Dec 22, 2024 at 11:10:34AM +0000, Bastien Roucariès wrote: > Hi, > > I believe CVE-2024-23944 should be marked ignored for older release: > - Persistent (and p-recursive) watches were introduced by ZOOKEEPER-1416, > which only exists in 3.6+. This is needed for exploit > - according to upstream classical watches are used (<< 3.6), it seems that > to trigger for nodes whose names are not > known in advance is not possible. Nevertheless classical watch leaks some > information. > - this is only a information leak and limited so for me minor > - it will be hard to fix (no upstream support EOL upstream) > > So ignored for me >
After reviewing your summary and the related informationi in the security tracker, I agree that CVE-2024-23944 should be marked <ignored> for LTS and ELTS releases. Regards, -Roberto -- Roberto C. Sánchez ◈ Freexian SARL https://www.freexian.com
