3.3.5-candidate-2 and 4.0.3-candidate-2 have now been made ready for voting. 3.0.10-candidate-1 voting continues.
Please vote on the 3.0.10, 3.3.5 and 4.0.3 releases so that we get the CVE fix published: * [VOTE] Release Apache Pulsar 3.0.10 based on 3.0.10-candidate-1 - https://lists.apache.org/thread/62jh7sj666mq2plr1rmlj7qrfx4zdj4x * [VOTE] Release Apache Pulsar 3.3.5 based on 3.3.5-candidate-2 - https://lists.apache.org/thread/vwgzdqybtrd4vny87c9qz1t6yqo4v6kz * [VOTE] Release Apache Pulsar 4.0.3 based on 4.0.3-candidate-2 - https://lists.apache.org/thread/81ownrk38w692wfvhpp5f689dvo8vs5n -Lari On 2025/02/12 08:52:50 Lari Hotari wrote: > Hi all, > > I'd like to discuss initiating the next set of Pulsar releases > (3.0.10, 3.3.5, and 4.0.3) due to a recently disclosed high-severity > security vulnerability in Netty (CVE-2025-24970). Netty has released > version 4.1.118.Final which contains the fix. > > The CVE-2025-24970 vulnerability details [1] summarized: > - A specially crafted packet received via SslHandler can lead to a > native crash when using native SSLEngine > - Due to the crash behavior, this is categorized as a > denial-of-service vulnerability > - This impacts Pulsar brokers and proxies that use native SSL > implementation (default setting) > - CVSS Score: 7.5 (High) > - Fixed in Netty 4.1.118.Final > > While this primarily affects broker and proxy components, many > enterprise users will need an updated client due to vulnerability > scanning and security policies that flag the vulnerable Netty > dependency. > > Important reminder: As documented in the Apache Pulsar Helm chart > (https://github.com/apache/pulsar-helm-chart?tab=readme-ov-file#pulsar-proxy-security-considerations), > Pulsar components including the Pulsar Proxy are not designed for > direct exposure to the public internet. Deployments should be > protected by appropriate network perimeter security measures. This > architectural assumption is particularly relevant given the nature of > this vulnerability. > > I propose the following timeline: > - Release candidates by February 14th, 2025 > - Releases by February 21th, 2025 > > I'm volunteering to be the release manager for these releases. > Please let me know if you have any concerns or feedback on this plan. > > Best regards, > > Lari Hotari > > 1 - For technical details on CVE-2025-24970, see: > https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw >
