[
https://issues.apache.org/jira/browse/SOLR-17922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082696#comment-18082696
]
Jalaz Kumar commented on SOLR-17922:
------------------------------------
[~dsmiley] Is this a valid issue? i can raise PR if this is required to be done
or do we rely upon solrbot to close this?
saw some previous PR: https://github.com/apache/solr/pull/2702 that was raised
by solrbot ~2 years back, thus curious.
> Upgrade netty jar to fix CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> -------------------------------------------------------------------------
>
> Key: SOLR-17922
> URL: https://issues.apache.org/jira/browse/SOLR-17922
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 9.8.1, 9.9.0
> Reporter: Dhoka Pramod
> Priority: Major
>
> CVE ID: CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> Affected solr Version: 9.8.x , 9.9.0
> Vulnerable Dependency: Netty 4.1.114
> Impact: Netty is an asynchronous event-driven network application framework
> for development of maintainable high performance protocol servers and
> clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final,
> Netty incorrectly accepts standalone newline characters (LF) as a chunk-size
> line terminator, regardless of a preceding carriage return (CR), instead of
> requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies
> that parse LF differently (treating it as part of the chunk extension),
> attackers can craft requests that the proxy sees as one request but Netty
> processes as two, enabling request smuggling attacks.
> Fix : This is fixed in versions 4.1.125.Final and 4.2.5.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
