[
https://issues.apache.org/jira/browse/ZOOKEEPER-4897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kezhu Wang updated ZOOKEEPER-4897:
----------------------------------
Fix Version/s: 3.10.0
> Upgrade Netty to fix CVE-2025-24970 in ZooKeeper 3.9.3
> ------------------------------------------------------
>
> Key: ZOOKEEPER-4897
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4897
> Project: ZooKeeper
> Issue Type: Task
> Reporter: Jim Qin
> Assignee: Jim Qin
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.10.0, 3.9.4
>
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> h3. *Details of the Issue*
> * {*}CVE ID{*}:
> [CVE-2025-24970|https://nvd.nist.gov/vuln/detail/CVE-2025-24970]
> * {*}Affected ZooKeeper Version{*}: 3.9.3
> * {*}Vulnerable Dependency{*}: Netty 4.1.113
> * {*}Impact{*}: When a special crafted packet is received via SslHandler it
> doesn't correctly handle validation of such a packet in all cases which can
> lead to a native crash.
> * {*}Fix{*}: Upgrade Netty to *4.1.118.Final* (or the version addressing
> this CVE).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
