Releases: undertow-io/undertow
Releases · undertow-io/undertow
v.2.3.18.Final
Release 2.3.18.Final
Full list of issues: view in Jira
Release Notes - Undertow - Version 2.3.18.Final
Bug
- [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
- [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
- [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
- [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
- [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
- [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
- [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
- [UNDERTOW-2448] - Broken responses after UNDERTOW-2425
v2.2.37.Final
Undertow release 2.2.37.Final
Full list of Issues: see on Jira
Release Notes - Undertow - Version 2.2.37.Final
Bug
- [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
- [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
- [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
- [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
- [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
- [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
- [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
- [UNDERTOW-2448] - Broken responses after UNDERTOW-2425
- [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
v2.2.36.Final
Includes CVES: CVE-2024-7885
Release Notes - Undertow - Version 2.2.36.Final
Bug
- [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage
Enhancement
- [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
v2.3.17.Final
Includes CVEs: CVE-2024-7885
Release Notes - Undertow - Version 2.3.17.Final
Bug
- [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage
v2.3.16.Final
Release Notes - Undertow - Version 2.3.16.Final
Bug
- [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
- [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
- [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
- [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
- [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer
v.2.2.35.Final
Release Notes - Undertow - Version 2.2.35.Final
Bug
- [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
- [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
- [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
- [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
- [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer
v2.2.34.Final
Includes CVES: CVE-2024-3653 CVE-2024-5971
Release Notes - Undertow - Version 2.2.34.Final
Bug
- [UNDERTOW-2033] - secure predicate unreliable with HTTP/2
- [UNDERTOW-2046] - ProxyHandler passes hostname not IP in X-Forwarded-For
- [UNDERTOW-2343] - Zero-Byte Response and Empty Response Code on Page Refresh with Wildfly 30 and Firefox
- [UNDERTOW-2382] - CVE-2024-3653 LearningPushHandler can lead to remote memory DoS attacks
- [UNDERTOW-2397] - Handle Huffman encoding properly
- [UNDERTOW-2413] - CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
- [UNDERTOW-2418] - Adjust properly session timeout also in case when FORM is combined with other mechanisms
Documentation
- [UNDERTOW-2193] - UndertowOptions class doesn't specify what many size settings represent
Enhancement
- [UNDERTOW-2386] - Update ci.yml link to git docs
- [UNDERTOW-2398] - Tweak workflow to allow manual re-runs
v2.2.33.Final
Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685
Release Notes - Undertow - Version 2.2.33.Final
Sub-task
- [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read
Bug
- [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
- [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
- [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
- [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
- [UNDERTOW-2385] - Memory leak in ThreadLocalCache
- [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
- [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
- [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
- [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
Component Upgrade
- [UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
- [UNDERTOW-2406] - Upgrade XNIO from 3.8.8.Final to 3.8.15.Final
Enhancement
- [UNDERTOW-2291] - Shush the javadoc plugin
- [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable
- [UNDERTOW-2415] - Disable JDK8 CI tests for Mac OS
v2.3.14.Final
Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685
Release Notes - Undertow - Version 2.3.14.Final
Sub-task
- [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read
Bug
- [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
- [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
- [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
- [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
- [UNDERTOW-2385] - Memory leak in ThreadLocalCache
- [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
- [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
- [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
- [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
Component Upgrade
- [UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
Enhancement
- [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable