[
https://issues.apache.org/jira/browse/ZOOKEEPER-4980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18022088#comment-18022088
]
Aleksandr Nikolaev commented on ZOOKEEPER-4980:
-----------------------------------------------
[~dpramod] updated by me in
https://issues.apache.org/jira/browse/ZOOKEEPER-4976
> Upgrade netty to fix CVE-2025-58057 , CVE-2025-58056
> -----------------------------------------------------
>
> Key: ZOOKEEPER-4980
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4980
> Project: ZooKeeper
> Issue Type: Improvement
> Reporter: Dhoka Pramod
> Priority: Major
>
> CVE ID: CVE-2025-58057 , CVE-2025-58056
> Affected ZooKeeper Version: 3.9.4
> Vulnerable Dependency: Netty 4.1.119
> Impact: Netty is an asynchronous event-driven network application framework
> for development of maintainable high performance protocol servers and
> clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final,
> Netty incorrectly accepts standalone newline characters (LF) as a chunk-size
> line terminator, regardless of a preceding carriage return (CR), instead of
> requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies
> that parse LF differently (treating it as part of the chunk extension),
> attackers can craft requests that the proxy sees as one request but Netty
> processes as two, enabling request smuggling attacks.
> Fix : This is fixed in versions 4.1.125.Final and 4.2.5.Final.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
