13692 2023-10-18 19:59:42 +0300 [CVE 21] bookkeeper 4.3.2 CVEs found 2023-10-20 11:38:52 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED DUPLICATE 13824 CVE-2019-17571, CVE-2022-32531, Normal normal --- 1 y.tumanov bugs e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 69580 0 y.tumanov 2023-10-18 19:59:42 +0300 Please patch CVEs for package bookkeeper version 4.3.2 INFO (CVEs are): bookkeeper 4.3.2 cves found CVE-2019-17571 Desc: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 Severity: CRITICAL CVE-2022-32531 Desc: The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-32531 Severity: MEDIUM 69984 1 v.potapov 2023-10-20 11:38:52 +0300 *** This bug has been marked as a duplicate of bug 13824 ***