FYI OWASP jobs are failing: https://ci-hadoop.apache.org/view/ZooKeeper/job/zookeeper-multi-branch-owasp/
18:41:17 [ERROR] netty-common-4.1.115.Final.jar: CVE-2025-25193(5.7) 18:41:17 [ERROR] netty-handler-4.1.115.Final.jar: CVE-2025-24970(7.5) Thanks for the ping Yujun Qin - can you create a JIRA and submit a PR for this? Regards, Patrick On Wed, Feb 19, 2025 at 9:40 AM Yujun Qin <qinyujun.lu...@gmail.com> wrote: > *Dear Apache ZooKeeper Maintainers and Community,* > > I hope this message finds you well. I’m writing to report a critical > security vulnerability affecting *Apache ZooKeeper 3.9.3*, which is > currently dependent on Netty 4.1.113. A newly disclosed CVE ( > *CVE-2025-24970*) impacts this version of Netty, and upgrading to *Netty > 4.1.118.Final* (or a later secure version) is required to resolve the > issue. > *Details of the Issue* > > - > > *CVE ID*: CVE-2025-24970 > <https://nvd.nist.gov/vuln/detail/CVE-2025-24970> > - > > *Affected ZooKeeper Version*: 3.9.3 > - > > *Vulnerable Dependency*: Netty 4.1.113 > - > > *Impact*: When a special crafted packet is received via SslHandler it > doesn't correctly handle validation of such a packet in all cases which > can > lead to a native crash. > - > > *Fix*: Upgrade Netty to *4.1.118.Final* (or the version addressing this > CVE). > > *Request* > > Given the severity of this vulnerability, could the team prioritize > releasing a patched version of ZooKeeper (e.g., *3.9.4*) with the updated > Netty dependency? This would help mitigate risks for users running > ZooKeeper in production environments. > *Additional Notes* > > - > > If there’s an existing patch or workaround, please share guidance with > the community. > - > > I’m happy to assist with testing or providing further details if needed. > > Thank you for your ongoing work on ZooKeeper, and I appreciate your urgent > attention to this matter. > > Best regards, >
