WildFly 37.0.1.Final Released

[Farah Juma]

WildFly 37.0.1.Final is now available for download from https://www.wildfly.org/downloads/

See the release announcement at https://www.wildfly.org/news/2025/09/04/WildFly-37-0-1-is-released/ for more details.

Please update to this release, and we will continue working towards WildFly 38.

Enjoy!

[morten hoffmann]

security scan of 37.0.1.Final identifies package " org.apache.tomcat:tomcat-coyote" version 11.0.4 to be vulnerable and it's recommended to update pakcage to 11.0.6

CVE-2025-31650

ref. https://nvd.nist.gov/vuln/detail/CVE-2025-31650

second...are there plans to update the netty-codec and netty-codec-http package to 4.1.125 innext release?

kind regards

Morten Hoffmann

[Darran Lofthouse]

On Mon, Sep 8, 2025 at 10:10 AM morten hoffmann <mhoff...@gmail.com> wrote:

security scan of 37.0.1.Final identifies package " org.apache.tomcat:tomcat-coyote" version 11.0.4 to be vulnerable and it's recommended to update pakcage to 11.0.6

CVE-2025-31650

ref. https://nvd.nist.gov/vuln/detail/CVE-2025-31650

Are you able to identify which jar your scanner is identifying as containing tomcat-coyote? The HTTP server in WildFly is Undertow not Apache Tomcat.

 

second...are there plans to update the netty-codec and netty-codec-http package to 4.1.125 innext release?

kind regards

Morten Hoffmann

On Thursday, September 4, 2025 at 6:43:02 PM UTC+2 Farah Juma wrote:

WildFly 37.0.1.Final is now available for download from https://www.wildfly.org/downloads/

See the release announcement at https://www.wildfly.org/news/2025/09/04/WildFly-37-0-1-is-released/ for more details.

Please update to this release, and we will continue working towards WildFly 38.

Enjoy!

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/3ae2fea0-7e04-454a-bed1-aa1bb3c1500bn%40googlegroups.com.

[morten hoffmann]

Hi Darran

I managed to identify the tomcat-coyote. it was from a internal app which I now have excluded.

However I still encounter some vulnerabilities 

io.netty:netty-codec 4.1.124.Final:/opt/jboss/wildfly-37.0.1.Final/bin/client/jboss-client.jar
io.netty:netty-codec 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/modules/system/layers/base/io/netty/netty-codec/main/netty-codec-4.1.124.Final.jar
io.netty:netty-codec-http 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/bin/client/jboss-client.jar
io.netty:netty-codec-http 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/modules/system/layers/base/io/netty/netty-codec-http/main/netty-codec-http-4.1.124.Final.jar
io.netty:netty-codec-dns 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/modules/system/layers/base/io/netty/netty-codec-dns/main/netty-codec-dns-4.1.124.Final.jar
io.netty:netty-codec-http2 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/modules/system/layers/base/io/netty/netty-codec-http2/main/netty-codec-http2-4.1.124.Final.jar
io.netty:netty-codec-socks 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/bin/client/jboss-client.jar
io.netty:netty-codec-socks 4.1.124.Final: /opt/jboss/wildfly-37.0.1.Final/modules/system/layers/base/io/netty/netty-codec-socks/main/netty-codec-socks-4.1.124.Final.jar

CVE-2025-58056, CVE-2025-58057, CVE-2025-58056, CVE-2025-58057

Suggested fix: 4.1.125.Final

What are the consequences if I remove these from my image?

Kind regards

Morten Hoffmann