Skip to content

ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 for master branch#2227

Merged
tisonkun merged 2 commits intoapache:masterfrom
helloworld28:ZOOKEEPER-4897
Mar 2, 2025
Merged

ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 for master branch#2227
tisonkun merged 2 commits intoapache:masterfrom
helloworld28:ZOOKEEPER-4897

Conversation

@helloworld28
Copy link
Contributor

@helloworld28 helloworld28 commented Feb 25, 2025

No description provided.

@helloworld28 helloworld28 changed the title Zookeeper-4897 Upgrade Netty to 4.1.118.Final for fix CVE-2025-24970 ZOOKEEPER-4897 Upgrade Netty to 4.1.118.Final for fix CVE-2025-24970 for master branch Feb 25, 2025
@helloworld28 helloworld28 mentioned this pull request Feb 26, 2025
Merged
tisonkun
tisonkun approved these changes Feb 26, 2025
View reviewed changes
Copy link
Member

@tisonkun tisonkun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

kezhuw
kezhuw approved these changes Feb 28, 2025
View reviewed changes
Copy link
Member

@kezhuw kezhuw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a patch netty/netty@dc6b051 to jdk path(a.k.a. no crash though) and it is landed in 4.1.119.Final.

I think we can bump to 4.1.119.Final to minimize the affect of the "crafted packet".

@eolivelli
Copy link
Contributor

eolivelli commented Feb 28, 2025

Can you please update (just rename) the License files?

@tisonkun
Copy link
Member

tisonkun commented Feb 28, 2025

@eolivelli where is the file? I may forget it and I can't find it now.

cnauroth
cnauroth reviewed Feb 28, 2025
View reviewed changes
Copy link
Contributor

@cnauroth cnauroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tisonkun , the license files are here:

https://github.com/apache/zookeeper/tree/master/zookeeper-server/src/main/resources/lib

We can git mv all of the Netty 4.1.115.Final files to 4.1.118.Final without changing file contents.

@tisonkun
4.1.119 and license file
f58c0f3 
Signed-off-by: tison <wander4096@gmail.com>
@tisonkun
Copy link
Member

tisonkun commented Mar 1, 2025

Thanks for pointing this out @cnauroth!

I've pushed a new commit to fix it, as well as adopting @kezhuw's suggestion to use 4.1.119.Final.

@tisonkun tisonkun changed the title ZOOKEEPER-4897 Upgrade Netty to 4.1.118.Final for fix CVE-2025-24970 for master branch ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 for master branch Mar 1, 2025
@tisonkun tisonkun requested a review from cnauroth March 1, 2025 08:42
cnauroth
cnauroth approved these changes Mar 2, 2025
View reviewed changes
Copy link
Contributor

@cnauroth cnauroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. Thanks to all who participated: @helloworld28 , @tisonkun , @eolivelli , @kezhuw

@tisonkun tisonkun merged commit 160297d into apache:master Mar 2, 2025
13 of 14 checks passed
@tisonkun
Copy link
Member

tisonkun commented Mar 2, 2025

Thanks for your review @cnauroth! You may take a look at the backport PR #2226 also.

Thank @helloworld28 for your contribution!

@cnauroth
Copy link
Contributor

cnauroth commented Mar 11, 2025

@helloworld28 , do you have an ASF JIRA ID? Can you please let me know it, so I can assign ZOOKEEPER-4897 and close it? If you don't have an ID, you can request one here:

https://selfserve.apache.org/jira-account.html

Please mention that you fixed ZOOKEEPER-4897 in the request.

Thank you.

@helloworld28
Copy link
Contributor Author

helloworld28 commented Mar 13, 2025

@helloworld28 , do you have an ASF JIRA ID? Can you please let me know it, so I can assign ZOOKEEPER-4897 and close it? If you don't have an ID, you can request one here:

https://selfserve.apache.org/jira-account.html

Please mention that you fixed ZOOKEEPER-4897 in the request.

Thank you.

thanks for merging this PR, I already have a ASF account, the JIRA is created by me, you can assign it to me

@helloworld28
Copy link
Contributor Author

helloworld28 commented Mar 14, 2025

@helloworld28 , do you have an ASF JIRA ID? Can you please let me know it, so I can assign ZOOKEEPER-4897 and close it? If you don't have an ID, you can request one here:

https://selfserve.apache.org/jira-account.html

Please mention that you fixed ZOOKEEPER-4897 in the request.

Thank you.

@helloworld28 , do you have an ASF JIRA ID? Can you please let me know it, so I can assign ZOOKEEPER-4897 and close it? If you don't have an ID, you can request one here:
https://selfserve.apache.org/jira-account.html
Please mention that you fixed ZOOKEEPER-4897 in the request.
Thank you.

thanks for merging this PR, I already have a ASF account, the JIRA is created by me, you can assign it to me

@cnauroth could you help assign the the task to me(jimqin)? let me close it

@cnauroth
Copy link
Contributor

cnauroth commented Mar 18, 2025

@helloworld28 , I assigned the JIRA issue and closed it. Thank you again!

@helloworld28 helloworld28 deleted the ZOOKEEPER-4897 branch March 21, 2025 14:19
anmolnar pushed a commit to anmolnar/zookeeper that referenced this pull request Jul 30, 2025
@helloworld28 @tisonkun @anmolnar
ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 (a…
e251b87 
…pache#2227)

Co-authored-by: tison <wander4096@gmail.com>
anmolnar added a commit that referenced this pull request Jul 31, 2025
@anmolnar @tisonkun
ZOOKEEPER-4897: Upgrade Netty to fix CVE-2025-24970 in ZooKeeper 3.9.…
eeac1ac 
…3 (branch-3.8 backport)

ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 (#2227)
Co-authored-by: tison <wander4096@gmail.com>
ZOOKEEPER-4897. Remove old Netty license
Reviewers: kezhuw
Author: anmolnar
Closes #2285 from anmolnar/ZOOKEEPER-4897_38
basapuram-kumar pushed a commit to acceldata-io/zookeeper that referenced this pull request Sep 22, 2025
@helloworld28 @tisonkun @basapuram-kumar
ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 (a…
ba7b6cd 
…pache#2227)

Co-authored-by: tison <wander4096@gmail.com>
basapuram-kumar pushed a commit to acceldata-io/zookeeper that referenced this pull request Sep 23, 2025
@helloworld28 @tisonkun @basapuram-kumar
ZOOKEEPER-4897 Upgrade Netty to 4.1.119.Final for fix CVE-2025-24970 (a…
5e72015 
…pache#2227)

Co-authored-by: tison <wander4096@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cnauroth cnauroth cnauroth approved these changes

@kezhuw kezhuw kezhuw approved these changes

@tisonkun tisonkun tisonkun approved these changes

@phunt phunt Awaiting requested review from phunt

@anmolnar anmolnar Awaiting requested review from anmolnar

@eolivelli eolivelli Awaiting requested review from eolivelli

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@helloworld28 @eolivelli @tisonkun @cnauroth @kezhuw