Hi Colin, Thanks for the heads-up. We just committed the upgrade of Netty on master and branch-3.8: https://github.com/apache/zookeeper/pull/2019
That means the new Netty version can be expected in 3.9.0 and 3.8.2 versions of ZooKeeper soon. I think we should backport it to branch-3.7 too, however it's going to be EoL soon. 3.6 is not maintained anymore, so I don't expect it to be upgraded and new release issued. Andor On Wed, 2023-06-21 at 12:58 +0100, Colvin Cowie wrote: > Hello > > CVE-2023-34462 for Netty has been announced yesterday and there's a > new > release of Netty that patches it. There's a GH advisory for it > https://github.com/advisories/GHSA-6mjq-h674-j845. > > Is SNI enabled (by default) in ZooKeeper? > Can the version of netty included in existing releases of ZooKeeper > be > replaced without code changes? I see 3.6.2 and later all include > Netty > 4.1.86, > > Thanks > Colvin