[
https://issues.apache.org/jira/browse/SOLR-17922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18056390#comment-18056390
]
Dhoka Pramod commented on SOLR-17922:
-------------------------------------
any update on this ?
> Upgrade netty jar to fix CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> -------------------------------------------------------------------------
>
> Key: SOLR-17922
> URL: https://issues.apache.org/jira/browse/SOLR-17922
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 9.8.1, 9.9.0
> Reporter: Dhoka Pramod
> Priority: Major
>
> CVE ID: CVE-2025-58057 , CVE-2025-58056 , CVE-2025-24970
> Affected solr Version: 9.8.x , 9.9.0
> Vulnerable Dependency: Netty 4.1.114
> Impact: Netty is an asynchronous event-driven network application framework
> for development of maintainable high performance protocol servers and
> clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final,
> Netty incorrectly accepts standalone newline characters (LF) as a chunk-size
> line terminator, regardless of a preceding carriage return (CR), instead of
> requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies
> that parse LF differently (treating it as part of the chunk extension),
> attackers can craft requests that the proxy sees as one request but Netty
> processes as two, enabling request smuggling attacks.
> Fix : This is fixed in versions 4.1.125.Final and 4.2.5.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
