Releases: undertow-io/undertow
Releases · undertow-io/undertow
v2.2.34.Final
Includes CVES: CVE-2024-3653 CVE-2024-5971
Release Notes - Undertow - Version 2.2.34.Final
Bug
- [UNDERTOW-2033] - secure predicate unreliable with HTTP/2
- [UNDERTOW-2046] - ProxyHandler passes hostname not IP in X-Forwarded-For
- [UNDERTOW-2343] - Zero-Byte Response and Empty Response Code on Page Refresh with Wildfly 30 and Firefox
- [UNDERTOW-2382] - CVE-2024-3653 LearningPushHandler can lead to remote memory DoS attacks
- [UNDERTOW-2397] - Handle Huffman encoding properly
- [UNDERTOW-2413] - CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
- [UNDERTOW-2418] - Adjust properly session timeout also in case when FORM is combined with other mechanisms
Documentation
- [UNDERTOW-2193] - UndertowOptions class doesn't specify what many size settings represent
Enhancement
- [UNDERTOW-2386] - Update ci.yml link to git docs
- [UNDERTOW-2398] - Tweak workflow to allow manual re-runs
v2.2.33.Final
Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685
Release Notes - Undertow - Version 2.2.33.Final
Sub-task
- [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read
Bug
- [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
- [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
- [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
- [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
- [UNDERTOW-2385] - Memory leak in ThreadLocalCache
- [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
- [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
- [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
- [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
Component Upgrade
- [UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
- [UNDERTOW-2406] - Upgrade XNIO from 3.8.8.Final to 3.8.15.Final
Enhancement
- [UNDERTOW-2291] - Shush the javadoc plugin
- [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable
- [UNDERTOW-2415] - Disable JDK8 CI tests for Mac OS
v2.3.14.Final
Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685
Release Notes - Undertow - Version 2.3.14.Final
Sub-task
- [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read
Bug
- [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
- [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
- [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
- [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
- [UNDERTOW-2385] - Memory leak in ThreadLocalCache
- [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
- [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
- [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
- [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
Component Upgrade
- [UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
Enhancement
- [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable