Dhoka Pramod created ZOOKEEPER-5041:
---------------------------------------
Summary: Upgrade Netty to fix CVE-2026-33870
Key: ZOOKEEPER-5041
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5041
Project: ZooKeeper
Issue Type: Improvement
Affects Versions: 3.9.5
Reporter: Dhoka Pramod
Fix For: 3.9.6
*Affected Components(s):* Netty Project
{*}Vulnerable Dependency{*}: Netty 4.1.130
{*}Fix{*}: Upgrade Netty to 4.1.132.Final (or the version addressing this CVE).
*Summary:*
Netty is an asynchronous, event-driven network application framework. In
versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses
quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling
request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the
issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
