I'm confused then, the master, 3.9 and 3.8 branch tips are all failing with owasp failures (see the link I provided). Also I had searched our JIRA and PRs before replying and not seen these CVEs referenced. This means they are not fixed, at least not in ZK itself. What am I missing? afaict we need JIRA and PRs, then we can cut releases.....
Regards, Patrick On Wed, Feb 19, 2025 at 9:50 AM Robson Braga <robsonselze...@gmail.com> wrote: > It has already been fixed by the end of 2024, however, we need a new > release to promote it. > > On Wed, Feb 19, 2025, 12:40 p.m. Yujun Qin <qinyujun.lu...@gmail.com> > wrote: > > > *Dear Apache ZooKeeper Maintainers and Community,* > > > > I hope this message finds you well. I’m writing to report a critical > > security vulnerability affecting *Apache ZooKeeper 3.9.3*, which is > > currently dependent on Netty 4.1.113. A newly disclosed CVE ( > > *CVE-2025-24970*) impacts this version of Netty, and upgrading to *Netty > > 4.1.118.Final* (or a later secure version) is required to resolve the > > issue. > > *Details of the Issue* > > > > - > > > > *CVE ID*: CVE-2025-24970 > > <https://nvd.nist.gov/vuln/detail/CVE-2025-24970> > > - > > > > *Affected ZooKeeper Version*: 3.9.3 > > - > > > > *Vulnerable Dependency*: Netty 4.1.113 > > - > > > > *Impact*: When a special crafted packet is received via SslHandler it > > doesn't correctly handle validation of such a packet in all cases > which > > can > > lead to a native crash. > > - > > > > *Fix*: Upgrade Netty to *4.1.118.Final* (or the version addressing > this > > CVE). > > > > *Request* > > > > Given the severity of this vulnerability, could the team prioritize > > releasing a patched version of ZooKeeper (e.g., *3.9.4*) with the updated > > Netty dependency? This would help mitigate risks for users running > > ZooKeeper in production environments. > > *Additional Notes* > > > > - > > > > If there’s an existing patch or workaround, please share guidance with > > the community. > > - > > > > I’m happy to assist with testing or providing further details if > needed. > > > > Thank you for your ongoing work on ZooKeeper, and I appreciate your > urgent > > attention to this matter. > > > > Best regards, > > >
