[
https://issues.apache.org/jira/browse/SOLR-17922?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Smiley resolved SOLR-17922.
---------------------------------
Fix Version/s: 9.11
Resolution: Fixed
This is addressed in Solr 9.11 (if not an earlier version; I didn't look)
https://github.com/apache/solr/blob/d5013a99a1457ce0c2cfd2952c7d44abc4b18aa3/versions.props#L30
> Upgrade netty jar to fix CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> -------------------------------------------------------------------------
>
> Key: SOLR-17922
> URL: https://issues.apache.org/jira/browse/SOLR-17922
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 9.8.1, 9.9.0
> Reporter: Dhoka Pramod
> Priority: Major
> Fix For: 9.11
>
>
> CVE ID: CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> Affected solr Version: 9.8.x , 9.9.0
> Vulnerable Dependency: Netty 4.1.114
> Impact: Netty is an asynchronous event-driven network application framework
> for development of maintainable high performance protocol servers and
> clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final,
> Netty incorrectly accepts standalone newline characters (LF) as a chunk-size
> line terminator, regardless of a preceding carriage return (CR), instead of
> requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies
> that parse LF differently (treating it as part of the chunk extension),
> attackers can craft requests that the proxy sees as one request but Netty
> processes as two, enabling request smuggling attacks.
> Fix : This is fixed in versions 4.1.125.Final and 4.2.5.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
