[
https://issues.apache.org/jira/browse/SPARK-53436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18017130#comment-18017130
]
Bjørn Jørgensen commented on SPARK-53436:
-----------------------------------------
I'm working on a PR for this one https://github.com/apache/spark/pull/52181
> Upgrade Netty to 4.1.124.Final
> ------------------------------
>
> Key: SPARK-53436
> URL: https://issues.apache.org/jira/browse/SPARK-53436
> Project: Spark
> Issue Type: Task
> Components: Build
> Affects Versions: 3.5.6, 4.0.0
> Reporter: Jota Martos
> Priority: Major
>
> Upgrade Netty to 4.1.124.Final in order to fix CVE-2025-55163.
> Netty is an asynchronous, event-driven network application framework. Prior
> to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to
> MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol,
> that uses malformed HTTP/2 control frames in order to break the max
> concurrent streams limit - which results in resource exhaustion and
> distributed denial of service. This issue has been patched in versions
> 4.1.124.Final and 4.2.4.Final.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
