undertow-io/undertow
 Watch   
 Star   
 Fork   
2024-10-17 05:12:35
undertow

v2.2.37.Final

Undertow release 2.2.37.Final Full list of Issues: see on Jira

    Release Notes - Undertow - Version 2.2.37.Final

Bug

  • [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
  • [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
  • [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
  • [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
  • [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
  • [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
  • [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
  • [UNDERTOW-2448] - Broken responses after UNDERTOW-2425
  • [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
2024-10-16 21:29:38
undertow

v.2.3.18.Final

Release 2.3.18.Final Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.18.Final

Bug

  • [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
  • [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
  • [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
  • [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
  • [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
  • [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
  • [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
  • [UNDERTOW-2448] - Broken responses after UNDERTOW-2425
2024-10-02 05:15:10
undertow

v2.2.36.Final

Includes CVES: CVE-2024-7885

    Release Notes - Undertow - Version 2.2.36.Final

Bug

  • [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage

Enhancement

  • [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
2024-09-01 09:03:04
undertow

v2.3.17.Final

Includes CVEs: CVE-2024-7885

    Release Notes - Undertow - Version 2.3.17.Final

Bug

  • [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage
2024-08-22 21:04:40
undertow

v2.3.16.Final

    Release Notes - Undertow - Version 2.3.16.Final

Bug

  • [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
  • [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
  • [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
  • [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
  • [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer
2024-08-22 19:22:00
undertow

v.2.2.35.Final

    Release Notes - Undertow - Version 2.2.35.Final

Bug

  • [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
  • [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
  • [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
  • [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
  • [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer
2024-07-17 03:09:37
undertow

v2.2.34.Final

Includes CVES: CVE-2024-3653 CVE-2024-5971

    Release Notes - Undertow - Version 2.2.34.Final

Bug

  • [UNDERTOW-2033] - secure predicate unreliable with HTTP/2
  • [UNDERTOW-2046] - ProxyHandler passes hostname not IP in X-Forwarded-For
  • [UNDERTOW-2343] - Zero-Byte Response and Empty Response Code on Page Refresh with Wildfly 30 and Firefox
  • [UNDERTOW-2382] - CVE-2024-3653 LearningPushHandler can lead to remote memory DoS attacks
  • [UNDERTOW-2397] - Handle Huffman encoding properly
  • [UNDERTOW-2413] - CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
  • [UNDERTOW-2418] - Adjust properly session timeout also in case when FORM is combined with other mechanisms

Documentation

  • [UNDERTOW-2193] - UndertowOptions class doesn't specify what many size settings represent

Enhancement

2024-06-23 17:46:04
undertow

v2.2.33.Final

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.2.33.Final

Sub-task

  • [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

  • [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
  • [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
  • [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
  • [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
  • [UNDERTOW-2385] - Memory leak in ThreadLocalCache
  • [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
  • [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
  • [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
  • [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

Enhancement

2024-06-20 16:24:18
undertow

v2.3.14.Final

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.3.14.Final

Sub-task

  • [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

  • [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
  • [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
  • [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
  • [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
  • [UNDERTOW-2385] - Memory leak in ThreadLocalCache
  • [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
  • [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
  • [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
  • [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

Enhancement

  • [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable