please unsubscribe
________________________________
发件人: Jim Qin (Jira) <j...@apache.org>
发送时间: 2025年2月23日 23:04
收件人: dev@zookeeper.apache.org <dev@zookeeper.apache.org>
主题: [jira] [Created] (ZOOKEEPER-4897) Upgrade Netty to fix CVE-2025-24970 in
ZooKeeper 3.9.3
Jim Qin created ZOOKEEPER-4897:
----------------------------------
Summary: Upgrade Netty to fix CVE-2025-24970 in ZooKeeper 3.9.3
Key: ZOOKEEPER-4897
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4897
Project: ZooKeeper
Issue Type: Improvement
Reporter: Jim Qin
Fix For: 3.9.4
h3. *Details of the Issue*
* {*}CVE ID{*}:
[CVE-2025-24970|https://nvd.nist.gov/vuln/detail/CVE-2025-24970]
* {*}Affected ZooKeeper Version{*}: 3.9.3
* {*}Vulnerable Dependency{*}: Netty 4.1.113
* {*}Impact{*}: When a special crafted packet is received via SslHandler it
doesn't correctly handle validation of such a packet in all cases which can
lead to a native crash.
* {*}Fix{*}: Upgrade Netty to *4.1.118.Final* (or the version addressing this
CVE).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
