Releases · undertow-io/undertow

22 Aug 15:19

2.3.16.Final

fc0ab78

    Release Notes - Undertow - Version 2.3.16.Final

Bug

[UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
[UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
[UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
[UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
[UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer

Assets 6

22 Aug 15:18

fl4via

2.2.35.Final

f93d56b

v.2.2.35.Final

    Release Notes - Undertow - Version 2.2.35.Final

Bug

[UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
[UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
[UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
[UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
[UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer

Assets 6

14 Aug 08:58

fl4via

2.2.34.Final

1ab726d

v2.2.34.Final

Includes CVES: CVE-2024-3653 CVE-2024-5971

    Release Notes - Undertow - Version 2.2.34.Final

Bug

[UNDERTOW-2033] - secure predicate unreliable with HTTP/2
[UNDERTOW-2046] - ProxyHandler passes hostname not IP in X-Forwarded-For
[UNDERTOW-2343] - Zero-Byte Response and Empty Response Code on Page Refresh with Wildfly 30 and Firefox
[UNDERTOW-2382] - CVE-2024-3653 LearningPushHandler can lead to remote memory DoS attacks
[UNDERTOW-2397] - Handle Huffman encoding properly
[UNDERTOW-2413] - CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
[UNDERTOW-2418] - Adjust properly session timeout also in case when FORM is combined with other mechanisms

Documentation

[UNDERTOW-2193] - UndertowOptions class doesn't specify what many size settings represent

Enhancement

[UNDERTOW-2386] - Update ci.yml link to git docs
[UNDERTOW-2398] - Tweak workflow to allow manual re-runs

Assets 4

23 Jun 10:18

fl4via

2.2.33.Final

76b54da

v2.2.33.Final

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.2.33.Final

Sub-task

[UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

[UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
[UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
[UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
[UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
[UNDERTOW-2385] - Memory leak in ThreadLocalCache
[UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
[UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
[UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
[UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

[UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
[UNDERTOW-2406] - Upgrade XNIO from 3.8.8.Final to 3.8.15.Final

Enhancement

[UNDERTOW-2291] - Shush the javadoc plugin
[UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable
[UNDERTOW-2415] - Disable JDK8 CI tests for Mac OS

Assets 4

20 Jun 09:02

fl4via

2.3.14.Final

d8edb8b

v2.3.14.Final

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.3.14.Final

Sub-task

[UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

[UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
[UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
[UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
[UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
[UNDERTOW-2385] - Memory leak in ThreadLocalCache
[UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
[UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
[UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
[UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

[UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final

Enhancement

[UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable

Assets 3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug

Bug

Bug

Documentation

Enhancement

Sub-task

Bug

Component Upgrade

Enhancement

Sub-task

Bug

Component Upgrade

Enhancement

Releases: undertow-io/undertow

v2.3.16.Final

Bug

v.2.2.35.Final

Bug

v2.2.34.Final

Bug

Documentation

Enhancement

v2.2.33.Final

Sub-task

Bug

Component Upgrade

Enhancement

v2.3.14.Final

Sub-task

Bug

Component Upgrade

Enhancement