Hello Sachin, Netty has been upgraded on branch-3.9:
https://github.com/apache/zookeeper/blob/branch-3.9/pom.xml#L562 Logback has been upgraded on the master branch: https://github.com/apache/zookeeper/blob/master/pom.xml#L554 There was a prior decision not to upgrade Logback from 1.2. to 1.3 within the ZooKeeper 3.9 release line due to compatibility concerns. There are no firm plans yet for either a 3.9.4 release (which would give you the Netty upgrade) or a 3.10.0 release (which would give you both Netty and Logback upgrades). There has been some informal discussion though about the need for new releases. I recommend watching the [email protected] mailing list if you'd like to see status updates when the plan comes together. Chris Nauroth On Fri, Mar 21, 2025 at 7:01 AM Sachin Jangle <[email protected]> wrote: > Hi Team, > > Following vulnerability has been reported in zookeeper dependent (3rd > party) library for version 3.9.3. > Is there a release planned to update the dependency libraries. > > CVE-2025-24970 > netty-handler Fixed in version 4.1.118.Final > CVE-2024-12801 > logback-core Fixed in 1.3.15 and 1.5.13 > GHSA-pr98-23f8-jwxv(CVE-2024-12798) logback-core Fixed > in 1.3.15 and 1.5.13 > GHSA-6v67-2wr5-gvf4(CVE-2024-12798) logback-core Fixed > in 1.3.15 and 1.5.13 > CVE-2024-12798 > logback-core Fixed in 1.3.15 and 1.5.13 > CVE-2024-12801 > logback-core Fixed in 1.3.15 and 1.5.13 > > > Thanks, > Sachin Jangle >
