*Dear Apache ZooKeeper Maintainers and Community,* I have created the JIRA <https://issues.apache.org/jira/browse/ZOOKEEPER-4897> and created PR <https://github.com/apache/zookeeper/pull/2226>to fix this CVE, Could you help review and merge it? May I know when will we have a new version to fix the CVE?
Best regards, Yujun Qin <qinyujun.lu...@gmail.com> 于2025年2月19日周三 23:36写道: > *Dear Apache ZooKeeper Maintainers and Community,* > > I hope this message finds you well. I’m writing to report a critical > security vulnerability affecting *Apache ZooKeeper 3.9.3*, which is > currently dependent on Netty 4.1.113. A newly disclosed CVE ( > *CVE-2025-24970*) impacts this version of Netty, and upgrading to *Netty > 4.1.118.Final* (or a later secure version) is required to resolve the > issue. > *Details of the Issue* > > - > > *CVE ID*: CVE-2025-24970 > <https://nvd.nist.gov/vuln/detail/CVE-2025-24970> > - > > *Affected ZooKeeper Version*: 3.9.3 > - > > *Vulnerable Dependency*: Netty 4.1.113 > - > > *Impact*: When a special crafted packet is received via SslHandler it > doesn't correctly handle validation of such a packet in all cases which can > lead to a native crash. > - > > *Fix*: Upgrade Netty to *4.1.118.Final* (or the version addressing > this CVE). > > *Request* > > Given the severity of this vulnerability, could the team prioritize > releasing a patched version of ZooKeeper (e.g., *3.9.4*) with the updated > Netty dependency? This would help mitigate risks for users running > ZooKeeper in production environments. > *Additional Notes* > > - > > If there’s an existing patch or workaround, please share guidance with > the community. > - > > I’m happy to assist with testing or providing further details if > needed. > > Thank you for your ongoing work on ZooKeeper, and I appreciate your urgent > attention to this matter. > > Best regards, >
