Sounds good! Thank you for driving the release process.
On 2025/02/12 08:52:50 Lari Hotari wrote: > Hi all, > > I'd like to discuss initiating the next set of Pulsar releases > (3.0.10, 3.3.5, and 4.0.3) due to a recently disclosed high-severity > security vulnerability in Netty (CVE-2025-24970). Netty has released > version 4.1.118.Final which contains the fix. > > The CVE-2025-24970 vulnerability details [1] summarized: > - A specially crafted packet received via SslHandler can lead to a > native crash when using native SSLEngine > - Due to the crash behavior, this is categorized as a > denial-of-service vulnerability > - This impacts Pulsar brokers and proxies that use native SSL > implementation (default setting) > - CVSS Score: 7.5 (High) > - Fixed in Netty 4.1.118.Final > > While this primarily affects broker and proxy components, many > enterprise users will need an updated client due to vulnerability > scanning and security policies that flag the vulnerable Netty > dependency. > > Important reminder: As documented in the Apache Pulsar Helm chart > (https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#pulsar-proxy-security-considerations), > Pulsar components including the Pulsar Proxy are not designed for > direct exposure to the public internet. Deployments should be > protected by appropriate network perimeter security measures. This > architectural assumption is particularly relevant given the nature of > this vulnerability. > > I propose the following timeline: > - Release candidates by February 14th, 2025 > - Releases by February 21th, 2025 > > I'm volunteering to be the release manager for these releases. > Please let me know if you have any concerns or feedback on this plan. > > Best regards, > > Lari Hotari > > 1 - For technical details on CVE-2025-24970, see: > https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw >
