13824 2023-10-18 20:24:24 +0300 [CVE 21] bookkeeper 4.3.2 CVEs found 2023-12-12 01:21:27 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED WONTFIX CVE-2019-17571, CVE-2022-32531, Highest blocker --- 1 y.tumanov bugs a.proklov e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 69712 0 y.tumanov 2023-10-18 20:24:24 +0300 Please patch CVEs for package bookkeeper version 4.3.2 INFO (CVEs are): bookkeeper 4.3.2 cves found CVE-2019-17571 Desc: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 Severity: CRITICAL CVE-2022-32531 Desc: The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-32531 Severity: MEDIUM 69985 1 v.potapov 2023-10-20 11:38:52 +0300 *** Bug 13692 has been marked as a duplicate of this bug. *** 69987 2 v.potapov 2023-10-20 11:39:12 +0300 *** Bug 13500 has been marked as a duplicate of this bug. *** 70368 3 a.proklov 2023-10-22 03:59:44 +0300 CVE-2019-17571 закрыто использованием системной log4j-1.2.17 CVE-2022-32531 патча нету, рекомендуют обновляться 4.14.6 and 4.15.1 71455 4 s.matveev 2023-12-12 01:21:27 +0300 Входит в java-стек, который пока обновляться не будет