According to [1] netty 4.1.118 was only released on Feb 10th 2025, and if the CVE entry is correct this is the first version containing a patch.
So I don't think its been fixed end of 2024 ... also, I agree with you that master still refers to 4.1.115, which is vulnerable.. May be totally mistaken and miss something obvious here though ... [1] https://netty.io/news/2025/02/10/4-1-118-Final.html On Wed, Feb 19, 2025 at 7:33 PM Patrick Hunt <ph...@apache.org> wrote: > I'm confused then, the master, 3.9 and 3.8 branch tips are all failing with > owasp failures (see the link I provided). Also I had searched our JIRA and > PRs before replying and not seen these CVEs referenced. This means they are > not fixed, at least not in ZK itself. What am I missing? afaict we need > JIRA and PRs, then we can cut releases..... > > Regards, > > Patrick > > On Wed, Feb 19, 2025 at 9:50 AM Robson Braga <robsonselze...@gmail.com> > wrote: > > > It has already been fixed by the end of 2024, however, we need a new > > release to promote it. > > > > On Wed, Feb 19, 2025, 12:40 p.m. Yujun Qin <qinyujun.lu...@gmail.com> > > wrote: > > > > > *Dear Apache ZooKeeper Maintainers and Community,* > > > > > > I hope this message finds you well. I’m writing to report a critical > > > security vulnerability affecting *Apache ZooKeeper 3.9.3*, which is > > > currently dependent on Netty 4.1.113. A newly disclosed CVE ( > > > *CVE-2025-24970*) impacts this version of Netty, and upgrading to > *Netty > > > 4.1.118.Final* (or a later secure version) is required to resolve the > > > issue. > > > *Details of the Issue* > > > > > > - > > > > > > *CVE ID*: CVE-2025-24970 > > > <https://nvd.nist.gov/vuln/detail/CVE-2025-24970> > > > - > > > > > > *Affected ZooKeeper Version*: 3.9.3 > > > - > > > > > > *Vulnerable Dependency*: Netty 4.1.113 > > > - > > > > > > *Impact*: When a special crafted packet is received via SslHandler > it > > > doesn't correctly handle validation of such a packet in all cases > > which > > > can > > > lead to a native crash. > > > - > > > > > > *Fix*: Upgrade Netty to *4.1.118.Final* (or the version addressing > > this > > > CVE). > > > > > > *Request* > > > > > > Given the severity of this vulnerability, could the team prioritize > > > releasing a patched version of ZooKeeper (e.g., *3.9.4*) with the > updated > > > Netty dependency? This would help mitigate risks for users running > > > ZooKeeper in production environments. > > > *Additional Notes* > > > > > > - > > > > > > If there’s an existing patch or workaround, please share guidance > with > > > the community. > > > - > > > > > > I’m happy to assist with testing or providing further details if > > needed. > > > > > > Thank you for your ongoing work on ZooKeeper, and I appreciate your > > urgent > > > attention to this matter. > > > > > > Best regards, > > > > > >
