You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by Andor Molnar <an...@apache.org> on 2023/07/02 14:17:55 UTC

Re: Netty CVE-2023-34462 (SniHandler)

Hi Colin,

Thanks for the heads-up. We just committed the upgrade of Netty on
master and branch-3.8:
https://github.com/apache/zookeeper/pull/2019

That means the new Netty version can be expected in 3.9.0 and 3.8.2
versions of ZooKeeper soon.

I think we should backport it to branch-3.7 too, however it's going to
be EoL soon.

3.6 is not maintained anymore, so I don't expect it to be upgraded and
new release issued.

Andor

On Wed, 2023-06-21 at 12:58 +0100, Colvin Cowie wrote:
> Hello
> 
> CVE-2023-34462 for Netty has been announced yesterday and there's a
> new
> release of Netty that patches it. There's a GH advisory for it
> https://github.com/advisories/GHSA-6mjq-h674-j845.
> 
> Is SNI enabled (by default) in ZooKeeper?
> Can the version of netty included in existing releases of ZooKeeper
> be
> replaced without code changes? I see 3.6.2 and later all include
> Netty
> 4.1.86,
> 
> Thanks
> Colvin