Hi all, I'd like to discuss initiating the next set of Pulsar releases (3.0.10, 3.3.5, and 4.0.3) due to a recently disclosed high-severity security vulnerability in Netty (CVE-2025-24970). Netty has released version 4.1.118.Final which contains the fix.
The CVE-2025-24970 vulnerability details [1] summarized: - A specially crafted packet received via SslHandler can lead to a native crash when using native SSLEngine - Due to the crash behavior, this is categorized as a denial-of-service vulnerability - This impacts Pulsar brokers and proxies that use native SSL implementation (default setting) - CVSS Score: 7.5 (High) - Fixed in Netty 4.1.118.Final While this primarily affects broker and proxy components, many enterprise users will need an updated client due to vulnerability scanning and security policies that flag the vulnerable Netty dependency. Important reminder: As documented in the Apache Pulsar Helm chart (https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#pulsar-proxy-security-considerations), Pulsar components including the Pulsar Proxy are not designed for direct exposure to the public internet. Deployments should be protected by appropriate network perimeter security measures. This architectural assumption is particularly relevant given the nature of this vulnerability. I propose the following timeline: - Release candidates by February 14th, 2025 - Releases by February 21th, 2025 I'm volunteering to be the release manager for these releases. Please let me know if you have any concerns or feedback on this plan. Best regards, Lari Hotari 1 - For technical details on CVE-2025-24970, see: https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw
