
<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>


        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - bookkeeper 4.3.2 cve-s found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13220">13220</a>

          </td>

        </tr>


        <tr>

          <th>Summary</th>

          <td>bookkeeper 4.3.2 cve-s found

          </td>

        </tr>


        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>


        <tr>

          <th>Product</th>

          <td>Certified ROSA distros

          </td>

        </tr>


        <tr>

          <th>Version</th>

          <td>Chrome

          </td>

        </tr>


        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>


        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>


        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>


        <tr>

          <th>Severity</th>

          <td>critical

          </td>

        </tr>


        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>


        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>


        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>


        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>


        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>


        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>


        <tr>

          <th>Group</th>

          <td>ROSA-plus-NTCIT

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Included in Log4j 1.2 is a SocketServer class that is vulnerable to

deserialization of untrusted data which can be exploited to remotely execute

arbitrary code when combined with a deserialization gadget when listening to

untrusted network traffic for log data. This affects Log4j versions up to 1.2

up to 1.2.17.       <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17571">https://nvd.nist.gov/vuln/detail/CVE-2019-17571</a> CRITICAL


The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not

close the connection to the bookkeeper server when TLS hostname verification

fails. This leaves the bookkeeper client vulnerable to a man in the middle

attack. The problem affects BookKeeper client prior to versions 4.14.6 and

4.15.1.   <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32531">https://nvd.nist.gov/vuln/detail/CVE-2022-32531</a> MEDIUM</pre>

        </div>

      </p>


      <hr>

      <span>You are receiving this mail because:</span>


      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>