Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 for master branch #2227

Merged
merged 2 commits into from
Mar 2, 2025
Merged

ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 for master branch #2227

merged 2 commits into from
Mar 2, 2025

Conversation

helloworld28
Copy link
Contributor

No description provided.

@helloworld28 helloworld28 changed the title Zookeeper-4897 Upgrade Netty to 4.1.118.Final for fix CVE-2025-24970 ZOOKEEPER-4897 Upgrade Netty to 4.1.118.Final for fix CVE-2025-24970 for master branch Feb 25, 2025
@helloworld28 helloworld28 mentioned this pull request Feb 26, 2025
Open
tisonkun
tisonkun approved these changes Feb 26, 2025
View reviewed changes
Copy link
Member

@tisonkun tisonkun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

kezhuw
kezhuw approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@kezhuw kezhuw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a patch netty/netty@dc6b051 to jdk path(a.k.a. no crash though) and it is landed in 4.1.119.Final.

I think we can bump to 4.1.119.Final to minimize the affect of the "crafted packet".

@eolivelli
Copy link
Contributor

Can you please update (just rename) the License files?

@tisonkun
Copy link
Member

@eolivelli where is the file? I may forget it and I can't find it now.

cnauroth
cnauroth reviewed Feb 28, 2025
View reviewed changes
Copy link
Contributor

@cnauroth cnauroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tisonkun , the license files are here:

https://github.com/apache/zookeeper/tree/master/zookeeper-server/src/main/resources/lib

We can git mv all of the Netty 4.1.115.Final files to 4.1.118.Final without changing file contents.

@tisonkun
4.1.119 and license file
f58c0f3 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun
Copy link
Member

tisonkun commented Mar 1, 2025

Thanks for pointing this out @cnauroth!

I've pushed a new commit to fix it, as well as adopting @kezhuw's suggestion to use 4.1.119.Final.

@tisonkun tisonkun changed the title ZOOKEEPER-4897 Upgrade Netty to 4.1.118.Final for fix CVE-2025-24970 for master branch ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 for master branch Mar 1, 2025
@tisonkun tisonkun requested a review from cnauroth March 1, 2025 08:42
cnauroth
cnauroth approved these changes Mar 2, 2025
View reviewed changes
Copy link
Contributor

@cnauroth cnauroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. Thanks to all who participated: @helloworld28 , @tisonkun , @eolivelli , @kezhuw

@tisonkun tisonkun merged commit 160297d into apache:master Mar 2, 2025
13 of 14 checks passed
@tisonkun
Copy link
Member

tisonkun commented Mar 2, 2025

Thanks for your review @cnauroth! You may take a look at the backport PR #2226 also.

Thank @helloworld28 for your contribution!

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@cnauroth cnauroth cnauroth approved these changes

@kezhuw kezhuw kezhuw approved these changes

@tisonkun tisonkun tisonkun approved these changes

@phunt phunt Awaiting requested review from phunt

@anmolnar anmolnar Awaiting requested review from anmolnar

@eolivelli eolivelli Awaiting requested review from eolivelli

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@helloworld28 @eolivelli @tisonkun @cnauroth @kezhuw