Releases: netty/netty
Releases · netty/netty
netty-4.2.15.Final
Security fixes
- CVE-2026-48059: memory exhaustion in
io.netty:netty-codec-haproxy(high). - CVE-2026-47691: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-XXXXX: DDoS in
io.netty:netty-codec-http2. - CVE-2026-50011: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44250: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44890: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-50009: information disclosure and denial of service in
io.netty:netty-codec-classes-quic. - CVE-2026-44249: IPv6 subnet filter bypass in
io.netty:netty-handler(high). - CVE-2026-50020: request smuggling in
io.netty:netty-codec-http. - CVE-2026-44892: memory exhaustion in
io.netty:netty-codec-http3(high). - CVE-2026-44893: memory leak in
io.netty:netty-codec-haproxy(high). - CVE-2026-44894: traffic amplification in
io.netty:netty-codec-classes-quic(high). - CVE-2026-50010: TLS hostname verification accidentally disabled in
io.netty:netty-handler(high). - CVE-2026-45673: DNS cache poisoning in
io.netty:netty-resolver-dns. - CVE-2026-45416: excessive memory usage from SNIHandler in
io.netty:netty-handler(high). - CVE-2026-45536: file descriptor leak in
io.netty:netty-transport-native-epollandio.netty:netty-transport-native-kqueue. - CVE-2026-45674: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-46340: memory exhaustion in
io.netty:netty-transport-sctp(high). - CVE-2026-47244: denial of service in
io.netty:netty-codec-http2. - CVE-2026-48006: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-48748: memory exhaustion in
io.netty:netty-codec-http3(high). - CVE-2026-48043: memory exhaustion in
io.netty:netty-codec-http2.
What's Changed
- Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @dreamlike-ocean in #16836
- HTTP/2: Parse request-target path like Vert.x by @yawkat in #16810
- Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @netty-project-bot in #16853
- FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @schiemon in #16837
- Pass maxAllocation to Brotli and Zstd decoders by @fedinskiy in #16844
- Fix revapi warnings by @chrisvest in #16885
- Fix SCTP and Redis tests by @chrisvest in #16893
- Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @skyguard1 in #16850
- Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @netty-project-bot in #16890
New Contributors
- @schiemon made their first contribution in #16837
- @fedinskiy made their first contribution in #16844
Full Changelog: netty-4.2.14.Final...netty-4.2.15.Final
Contributors
chrisvest, yawkat, and 5 other contributors
Assets 2
netty-4.1.135.Final
Security fixes
- CVE-2026-48059: memory exhaustion in
io.netty:netty-codec-haproxy(high). - CVE-2026-47691: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-XXXXX: DDoS in
io.netty:netty-codec-http2. - CVE-2026-50011: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44250: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44890: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44249: IPv6 subnet filter bypass in
io.netty:netty-handler(high). - CVE-2026-50020: request smuggling in
io.netty:netty-codec-http. - CVE-2026-44893: memory leak in
io.netty:netty-codec-haproxy(high). - CVE-2026-50010: TLS hostname verification accidentally disabled in
io.netty:netty-handler(high). - CVE-2026-45673: DNS cache poisoning in
io.netty:netty-resolver-dns. - CVE-2026-45416: excessive memory usage from SNIHandler in
io.netty:netty-handler(high). - CVE-2026-45536: file descriptor leak in
io.netty:netty-transport-native-epollandio.netty:netty-transport-native-kqueue. - CVE-2026-45674: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-46340: memory exhaustion in
io.netty:netty-transport-sctp(high). - CVE-2026-47244: denial of service in
io.netty:netty-codec-http2. - CVE-2026-48006: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-48043: memory exhaustion in
io.netty:netty-codec-http2.
What's Changed
- Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in #16834
- ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in #16847
- HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in #16856
- HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in #16861
- IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in #16860
- Configurable bound on RedisArrayAggregator by @normanmaurer in #16858
- Redis: Limit decoded length by @normanmaurer in #16859
- DNS: Ensure query id is not predictible by @normanmaurer in #16870
- Wrapping plain trust manager silently disables hostname verification by @normanmaurer in #16868
- MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in #16852
- Fix revapi warnings (#16885) by @chrisvest in #16892
- HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in #16866
- SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in #16871
- DNS: Only cache CNAME if part of the queried domain by @normanmaurer in #16873
- HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in #16876
- Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in #16877
- HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in #16880
- Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in #16886
- HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in #16883
- Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in #16894
- HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in #16881
- Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in #16872
- SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in #16875
- Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in #16878
- Redis: Limit the maximum number of nested arrays by @normanmaurer in #16882
Full Changelog: netty-4.1.134.Final...netty-4.1.135.Final
Contributors
chrisvest, normanmaurer, and 3 other contributors
Assets 2
netty-4.2.14.Final
What's Changed
- HTTP: Fix revapi failure introduced by 84530fa by @normanmaurer in #16748
- HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by @normanmaurer in #16747
- Marshalling: Explicit document security requirements by @normanmaurer in #16752
- Fix io_uring op completion TRACE logging by @chrisvest in #16755
- Quic: Ensure writes are done before notify close promise of QuicheQui… by @normanmaurer in #16758
- Avoid re-parsing openssl key material with non-cached provider by @chrisvest in #16759
- Pin HTTP/RTSP version + method normalization to Locale.US by @daguimu in #16765
- Fill MsgHdrMemoryArray#hdrs with null entry on release by @tsegismont in #16764
- Revapi: Use default "oldVersion" by @chrisvest in #16774
- Adaptive: Fix concurrency issue in adaptive allocator by @chrisvest in #16767
- Auto-port 4.2: Make bulk byte moving in ByteBuf faster by @netty-project-bot in #16781
- Pin multipart Content-Type / Content-Transfer-Encoding case folding to Locale.US by @daguimu in #16768
- Remove dead native declarations by @pandareen in #16783
- Isolate tests that modify available Security providers by @chrisvest in #16793
- Remove test annotations from a method that isn't a test by @chrisvest in #16792
- Enable OpenSslCachingKeyMaterialProvider to evict stale entries after cert rotation by @zhangweikop in #16523
- IoUring: extend user data from short to long by @dreamlike-ocean in #16682
- Revert CompositeByteBuf component search fast path by @yawkat in #16811
- HTTP2: Use 100 as default max concurrent streams setting by @normanmaurer in #16804
- Fix ResumptionController wrapping by @chrisvest in #16815
- Resolve all localhost addresses without querying DNS servers by @JulianVennen in #16749
- IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by @normanmaurer in #16803
- Fix memoryAddress() for direct ByteBuffers wrapped by Unpooled without Unsafe by @dreamlike-ocean in #16788
- Route synchronous onLookupComplete exceptions via fireExceptionCaught by @kwondh5217 in #16794
- IoUring: Stop generic FileRegion drain loop when transferred() reaches count() by @LuciferYang in #16826
- MQTT: Allow MQTT 5 CONNECT with password only by @shblue21 in #16833
- Fix MQTT decoder size check after variable header replay by @daguimu in #16787
New Contributors
- @pandareen made their first contribution in #16783
- @zhangweikop made their first contribution in #16523
- @JulianVennen made their first contribution in #16749
- @kwondh5217 made their first contribution in #16794
- @shblue21 made their first contribution in #16833
Full Changelog: netty-4.2.13.Final...netty-4.2.14.Final
Contributors
chrisvest, normanmaurer, and 11 other contributors
Assets 2
netty-4.1.134.Final
What's Changed
- Auto-port 4.1: HTTP: Re-add constructor to HttpProxyHandler that was removed by mistake by @netty-project-bot in #16750
- Auto-port 4.1: Marshalling: Explicit document security requirements by @netty-project-bot in #16754
- Pin HTTP/RTSP version + method normalization to Locale.US (#16765) by @normanmaurer in #16770
- Adaptive: Fix concurrency issue in adaptive allocator (#16767) by @chrisvest in #16778
- Pin multipart Content-Type / Content-Transfer-Encoding case folding t… by @normanmaurer in #16784
- Auto-port 4.1: Remove dead native declarations by @netty-project-bot in #16785
- Avoid re-parsing openssl key material with non-cached provider (#16759) by @chrisvest in #16791
- Isolate tests that modify available Security providers (#16793) by @chrisvest in #16805
- Auto-port 4.1: Remove test annotations from a method that isn't a test by @netty-project-bot in #16798
- Auto-port 4.1: IpFilter: Fix ClassCastException caused by IpSubnetFilter if only ipv6 rules are configured but remote peer is using ipv4 by @netty-project-bot in #16822
- Resolve all localhost addresses without querying DNS servers (#16749) by @normanmaurer in #16820
- Auto-port 4.1: HTTP2: Use 100 as default max concurrent streams setting by @netty-project-bot in #16816
- Auto-port 4.1: Route synchronous onLookupComplete exceptions via fireExceptionCaught by @netty-project-bot in #16824
- Auto-port 4.1: Fix MQTT decoder size check after variable header replay by @netty-project-bot in #16838
Full Changelog: netty-4.1.133.Final...netty-4.1.134.Final
Contributors
chrisvest, normanmaurer, and netty-project-bot
Assets 2
netty-4.2.13.Final
CVEs Fixed
- CVE-2026-42586 (netty-codec-redis)
- CVE-2026-42578 (netty-handler-proxy)
- CVE-2026-42577 (netty-transport-native-epoll)
- CVE-2026-42587 (netty-codec-http, netty-codec-http2)
- CVE-2026-41417 (netty-codec-http)
- CVE-2026-42581 (netty-codec-http)
- CVE-2026-42580 (netty-codec-http)
- CVE-2026-42585 (netty-codec-http)
- CVE-2026-42579 (netty-codec-dns)
- CVE-2026-42582 (netty-codec-http3)
- CVE-2026-42583 (netty-codec, netty-codec-compression)
- CVE-2026-42584 (netty-codec-http)
- CVE-2026-44248 (netty-codec-mqtt)
Breaking Changes
The patch for CVE-2026-42581 prohibits HTTP/1.1 requests containing both the Transfer-Encoding and Content-Length headers, in line with RFC 9112. Previous versions of HTTP/1.1 (RFC 7230) permitted this combination. You can restore the old behavior with the -Dio.netty.handler.codec.http.rfc9112TransferEncoding=false system property or with HttpDecoderConfig. Note that disabling this check may lead to request smuggling vulnerabilities.
What's Changed
- Kqueue: sendfile EINTR doesn't advance offset — data duplication by @normanmaurer in #16544
- Replace usage of strerror with thread-safe alternative by @normanmaurer in #16547
- Fix implementation of strerror_r_xsi for GNU by @normanmaurer in #16546
- Lazy init ArrayList in DefaultHeaders.getAll by @doom369 in #16526
- Less logging in AWS-LC build by @chrisvest in #16565
- Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext by @normanmaurer in #16545
- Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @netty-project-bot in #16543
- Avoid leak in PemReader on OutOfDirectMemoryError by @raipc in #16551
- IoUring: Disable test while we debug to unblock other builds by @normanmaurer in #16581
- Include user properties and subscription IDs in MqttProperties#isEmpty by @ShadowySpirits in #16575
- Native DNS resolver: Guard against malloc failures by @normanmaurer in #16559
- Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by @netty-project-bot in #16578
- Fix parsing HTTP chunks with multiple extensions by @chrisvest in #16579
- Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by @dependabot[bot] in #16572
- Revert to PR build to Ubuntu 22.04 by @chrisvest in #16595
- Native transports: Correctly create pipe when pipe2 is not supported by @normanmaurer in #16592
- Epoll: Cleanup code to always return negative value on failure by @normanmaurer in #16591
- Fix component search fast path by @yawkat in #16548
- Stabilize read-only toStringMultipleThreads1 by @chrisvest in #16608
- Stabilize more AbstractByteBufTests by @chrisvest in #16611
- Remove note about needing 256-bit for PQC by @chrisvest in #16605
- Stabilize testSessionInvalidate for Conscrypt by @chrisvest in #16615
- Quic: Correctly handle SSL_CTX_new failures by @normanmaurer in #16622
- Make LocalIoHandle public by @rdicroce in #16621
- Quic: Fix shadowing of variable which leads to incorrectly handling errors by @normanmaurer in #16623
- Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @netty-project-bot in #16629
- Fix
shutdownInputbug in kqueue for empty recv buffer by @chrisvest in #16630 - fix FFM address semantics in directBufferAddress by @dreamlike-ocean in #16603
- HTTP2: Ensure HTTP2 preface is always send as first message by @normanmaurer in #16636
- Move Http2FrameCodecSubClassTest to correct package by @normanmaurer in #16640
- Kqueue: Fix usage of LOCAL_PEERPID by @normanmaurer in #16637
- Avoid ArrayQueue allocation in HttpServerCodec by @doom369 in #16596
- Fix file descriptor reuse bug in kqueue by @chrisvest in #16650
- Propagate exceptions from inner threads in buffer tests by @chrisvest in #16643
- Add maxFrameLength support to ProtobufVarint32FrameDecoder by @fru1tworld in #16633
- Avoid byte[] allocation in DefaultChannelId by @doom369 in #16631
- Bump BouncyCastle from 1.83 to 1.84 by @chrisvest in #16660
- HTTP2: Ensure HTTP2 preface is always send as first message (also on the server) by @normanmaurer in #16667
- Update outdated codec-http3 README.md by @fru1tworld in #16665
- Bump up netty-tcnative to 2.0.76.Final by @normanmaurer in #16669
- Fix IllegalReferenceCountException in AdaptiveByteBuf.deallocate() by @gzsombor in #16654
- Skip VarHandle init when unaligned access is supported by @Songdoeon in #16664
- Add generic FileRegion support in io_uring stream channel by @LuciferYang in #16571
- ByteBufAllocatorAllocPatternBenchmark: Ensure each index appears exactly once in releaseIndexes by @laosijikaichele in #16604
- Improve flaky NioSocketChannelTest by @chrisvest in #16679
- Deprecate ObjectCleaner and remove usage by @chrisvest in #16685
- Update to netty-tcnative 2.0.77.Final by @normanmaurer in #16687
- Avoid TCPFastOpen in KQueueCompositeBufferGatheringWriteTest by @chrisvest in #16697
- Update JUnit to 5.14.0 and fix leak scope handling by @yawkat in #16680
- Auto-port 4.2: Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null by @netty-project-bot in #16702
- Avoid NPE in JdkSslServerContext when TrustManagerFactory returns nul… by @normanmaurer in #16700
- IoUring: Fix incorrect assertion which was triggered when two Channel… by @normanmaurer in #16705
- Epoll: Correctly delete fd from epoll if there is nothing to handle by @normanmaurer in #16689
- Update many dependencies by @chrisvest in #16707
- SCTP: Correctly handle SO_BACKLOG by @normanmaurer in #16714
- Load BouncyCastle providers independently by @chrisvest in #16710
- Add UBI9 devcontainer by @chrisvest in #16711
- Consolidate fake exceptions in HTTP/2 tests into Http2TestUtil by @fru1tworld in #16712
- Auto-port 4.2: Fix DiscardClient hang under -Dssl by using a client SSL context by @netty-project-bot in #16724
- Epoll: Use correct inital EpollIoOps by @normanmaurer in #16728
- Activate noPrintGC by default by @chrisvest in #16732
- H2: Add test for header value validation by @chrisvest in #16737
New Contributors
- @ShadowySpirits made their first contribution in #16575
- @fru1tworld made their first contribution in #16633
- @gzsombor made their first contribution in #16654
- @LuciferYang made their first contribution in #16571
Full Changelog: netty-4.2.12.Final...netty-4.2.13.Final
Contributors
chrisvest, gzsombor, and 13 other contributors
Assets 2
netty-4.1.133.Final
CVEs Fixed
- CVE-2026-42586 (netty-codec-redis)
- CVE-2026-42578 (netty-handler-proxy)
- CVE-2026-42587 (netty-codec-http, netty-codec-http2)
- CVE-2026-41417 (netty-codec-http)
- CVE-2026-42581 (netty-codec-http)
- CVE-2026-42580 (netty-codec-http)
- CVE-2026-42585 (netty-codec-http)
- CVE-2026-42579 (netty-codec-dns)
- CVE-2026-42582 (netty-codec-http3)
- CVE-2026-42583 (netty-codec, netty-codec-compression)
- CVE-2026-42584 (netty-codec-http)
- CVE-2026-44248 (netty-codec-mqtt)
What's Changed
- Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @daguimu in #16539
- Auto-port 4.1: Fix implementation of strerror_r_xsi for GNU by @netty-project-bot in #16561
- Auto-port 4.1: Replace usage of strerror with thread-safe alternative by @netty-project-bot in #16555
- Auto-port 4.1: Kqueue: sendfile EINTR doesn't advance offset — data duplication by @netty-project-bot in #16554
- Auto-port 4.1: Avoid leak in PemReader on OutOfDirectMemoryError by @netty-project-bot in #16576
- Auto-port 4.1: Native DNS resolver: Guard against malloc failures by @netty-project-bot in #16584
- Auto-port 4.1: Include user properties and subscription IDs in MqttProperties#isEmpty by @netty-project-bot in #16582
- Auto-port 4.1: Fix parsing HTTP chunks with multiple extensions by @netty-project-bot in #16588
- Auto-port 4.1: Stabilize read-only toStringMultipleThreads1 by @netty-project-bot in #16610
- Auto-port 4.1: Epoll: Cleanup code to always return negative value on failure by @netty-project-bot in #16601
- Auto-port 4.1: Stabilize more AbstractByteBufTests by @netty-project-bot in #16613
- Auto-port 4.1: Stabilize testSessionInvalidate for Conscrypt by @netty-project-bot in #16616
- Auto-port 4.1: Native transports: Correctly create pipe when pipe2 is not supported by @netty-project-bot in #16598
- Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @daguimu in #16558
- Fix
shutdownInputbug in kqueue for empty recv buffer (#16630) by @normanmaurer in #16638 - Auto-port 4.1: Kqueue: Fix usage of LOCAL_PEERPID by @netty-project-bot in #16646
- Auto-port 4.1: HTTP2: Ensure HTTP2 preface is always send as first message by @netty-project-bot in #16642
- Auto-port 4.1: Propagate exceptions from inner threads in buffer tests by @netty-project-bot in #16652
- Auto-port 4.1: Add maxFrameLength support to ProtobufVarint32FrameDecoder by @netty-project-bot in #16658
- Auto-port 4.1: Bump up netty-tcnative to 2.0.76.Final by @netty-project-bot in #16672
- HTTP2: Ensure HTTP2 preface is always send as first message (also on … by @chrisvest in #16675
- Improve flaky NioSocketChannelTest (#16679) by @normanmaurer in #16681
- Deprecate ObjectCleaner and remove usage (#16685) by @chrisvest in #16694
- Auto-port 4.1: Update to netty-tcnative 2.0.77.Final by @netty-project-bot in #16695
- Avoid NPE in JdkSslServerContext when TrustManagerFactory returns null by @daguimu in #16691
- Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null by @daguimu in #16690
- Auto-port 4.1: Avoid TCPFastOpen in KQueueCompositeBufferGatheringWriteTest by @netty-project-bot in #16699
- Auto-port 4.1: SCTP: Correctly handle SO_BACKLOG by @netty-project-bot in #16715
- Fix DiscardClient hang under -Dssl by using a client SSL context by @daguimu in #16717
- Auto-port 4.1: Consolidate fake exceptions in HTTP/2 tests into Http2TestUtil by @netty-project-bot in #16725
- Auto-port 4.1: Activate noPrintGC by default by @netty-project-bot in #16735
- Merge commit from fork by @normanmaurer in #16742
New Contributors
Full Changelog: netty-4.1.132.Final...netty-4.1.133.Final
Contributors
chrisvest, normanmaurer, and 2 other contributors
Assets 2
netty-4.2.12.Final
What's Changed
- Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by @chrisvest in #16550
Full Changelog: netty-4.2.11.Final...netty-4.2.12.Final
Contributors
chrisvest
Assets 2
netty-4.2.11.Final
Security
- CVE-2026-33871, HTTP/2 CONTINUATION Frame Flood Denial of Service
- CVE-2026-33870, HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
What's Changed
- Update to latest JDK 26 EA release by @normanmaurer in #16230
- HTTP3: Allow to support non-standard HTTP3 settings by @normanmaurer in #16171
- Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry loop by @adwsingh in #16245
- Allocate one large segment and slice for each MsgHdrMemory by @dreamlike-ocean in #16234
- Make RefCntOpenSslContext.deallocate more robust by @chrisvest in #16253
- Epoll: Fix excessive CPU usage when Channel is only registered but no… by @normanmaurer in #16250
- Update to gcc for arm 10.3-2021.07 by @m1ngyuan in #16255
- Add acmeIdentifier extension support to pkitesting by @chrisvest in #16256
- Update JDK versions to latest patch releases by @m1ngyuan in #16254
- Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by @doom369 in #16241
- Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16269
- Revert "Automatic backporting workflow from 4.1 to 4.2" by @chrisvest in #16270
- HTTP2: Correctly account for padding when decompress by @normanmaurer in #16264
- Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16271
- Automatic backporting workflow from 4.1 to 4.2 by @chrisvest in #16273
- Backport PRs must be created with personal access tokens by @chrisvest in #16276
- Expose QuicSslContextBuilder::sni by @ZeroErrors in #16178
- Add more porting workflows by @chrisvest in #16275
- Add more porting workflows by @chrisvest in #16283
- Remove the unpooled allocator from test permutations by @chrisvest in #16282
- Some polishing of the porting workflows by @chrisvest in #16288
- Allow to set destination connection id when creating a client side QuicheChannel by @normanmaurer in #16286
- Update to latest JDK26 EA build by @normanmaurer in #16295
- Add javadoc to clarify responsibility of the user when generating the remote connection id by @normanmaurer in #16293
- Make the build run faster by @chrisvest in #16290
- Fix IDE warnings in SslHandler by @doom369 in #16237
- Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by @doom369 in #16242
- Support boringssl SSLCredential API by @jmcrawford45 in #15919
- Fix high-order bit aliasing in HttpUtil.validateToken by @furkanvarol in #16279
- Improve multi-byte access performance when UNALIGNED availability is unknown by @Songdoeon in #16207
- Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by @doom369 in #16278
- Support more branch freedom for auto-porting by @chrisvest in #16300
- fix: the precedence of + is higher than >> by @cuiweixie in #16312
- AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by @laosijikaichele in #16309
- Fix flaky PooledByteBufAllocatorTest by @chrisvest in #16313
- Fix pooled arena accounting tests by @chrisvest in #16321
- Fix RunInFastThreadLocalThreadExtension by @chrisvest in #16314
- AdaptivePoolingAllocator: call
unreserveMatchingBuddy(...)ifbyteBufinitialization failed by @laosijikaichele in #16327 - Recycler should not use thread locals unless they get cleaned up by @chrisvest in #16315
- OpenSSL: Don't leak OpenSslKeyManagerProvider on exception by @normanmaurer in #16337
- IoUring: Only complete deregistration promise once we received all co… by @normanmaurer in #16330
- Mark LoggingHandlerTest with @isolated to fix flaky build by @normanmaurer in #16338
- Fix flaky HTTP/2 test by @chrisvest in #16342
- Fix HTTP/2 push frame test by @chrisvest in #16343
- Fix flaky RenegotiateTest by @chrisvest in #16351
- IoUring: Don't use RDHUP for non stream Channel implementations by @normanmaurer in #16345
- SSL test: Don't depend on property value in test by @normanmaurer in #16346
- Fix flaky AbstractSingleThreadEventLoopTest by @chrisvest in #16352
- Use headers.setInt() in HttpObjectAggregator instead of set() and use concrete version of String.valueOf in CharSequenceValueConverter by @doom369 in #16239
- IoUring: Fix buffer leak in DatagramChannel implementation when recv … by @normanmaurer in #16359
- Don't assume CertificateFactory is thread-safe by @chrisvest in #16350
- AdaptivePoolingAllocator: assign a more explicit value to BuddyChunk.freeListCapacity by @laosijikaichele in #16334
- Fix leak in SniHandlerTest by @chrisvest in #16367
- Add more diagnostic points to PooledByteBufAllocatorTest.createNewThr… by @chrisvest in #16365
- Stabilize AbstractByteBufTest.testBytesInArrayMultipleThreads by @chrisvest in #16370
- Avoid unnecessary Long.toString() allocation in HttpObjectDecoder by @doom369 in #16344
- Remove reference counting from size classed chunks by @franz1981 in #16306
- Stabilize AbstractByteBufTest.testToStringMultipleThreads by @chrisvest in #16380
- Swap conditions to avoid native calls in ReferenceCountedOpenSslEngine.rejectRemoteInitiatedRenegotiation by @doom369 in #16389
- Remove duplicated contains calls in WebSockets by @doom369 in #16388
- IoUring: Reduce unnecessary io_uring_enter syscalls on non-blocking path by @dreamlike-ocean in #16259
- Fix NioIoHandlerTest on macOS by @chrisvest in #16396
- LocalChannel: Remove dependency on SingleThreadEventExecutor by @normanmaurer in #16393
- Fix autoport fetching into the existing branch by @chrisvest in #16403
- HTTP2: Pass the correct number of arguments when logging goaway by @normanmaurer in #16392
- Revert "Fix autoport fetching into the existing branch" by @chrisvest in #16410
- Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO (#16280) by @chrisvest in #16401
- Fix autoport fetching into the existing branch - again by @chrisvest in #16411
- Fix typo in AbstractEpollChannel: 'inital' → 'initial' by @nikitanagar08 in #16415
- Capture why threads get stuck in testCopyMultipleThreads0 by @chrisvest in #16404
- Local transport: shutdown hook should call closeNow to be conistent with what LocalIoHandler will call by @normanmaurer in #16406
- Remove unnecessary array access in DefaultAttributeMap.orderedCopyOnInsert by @doom369 in #16386
- Whitelist JMH annotation processing in microbench module by @laosijikaichele in #16428
- Fire the QuicChannel datagram extension event before the channel becomes active by @vietj in #16425
- HTTP2: Ensure preface is flushed in all cases by @normanmaurer in #16407
- Support QuicheQuicSslEngine hostname identification algorithm. by @vietj in #16426
- Fix client_max_window_bits parameter handling in permessage-deflate extension by @nikitanagar08 in #16424
- Fix UnsupportedOperationException in readTrailingHeaders by @furkanvarol in #16412
- IoUring: Fix io_uring writev infinite loop on kernels without SENDMSG_ZC support by @dreamlike-ocean in #16438
- Kqueue: Correctly handle registrations by @normanmaurer in #16439
- Kqueue: C...
Contributors
chrisvest, isolated, and 17 other contributors
Assets 2
netty-4.1.132.Final
Security
- CVE-2026-33871, HTTP/2 CONTINUATION Frame Flood Denial of Service
- CVE-2026-33870, HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
What's Changed
- Fix Incorrect nanos-to-millis conversion in epoll_wait EINTR retry lo… by @normanmaurer in #16248
- Make RefCntOpenSslContext.deallocate more robust (#16253) by @normanmaurer in #16257
- Update to gcc for arm 10.3-2021.07 (#16255) by @normanmaurer in #16263
- HTTP2: Correctly account for padding when decompress by @normanmaurer in #16265
- Update JDK versions to latest patch releases (#16254) by @normanmaurer in #16267
- Backport 4.1: Automatic backporting workflow from 4.1 to 4.2 by @github-actions[bot] in #16274
- Backport 4.1: Backport PRs must be created with personal access tokens by @chrisvest in #16277
- Backport 4.1: Add more porting workflows by @netty-project-bot in #16284
- Backport 4.1: Some polishing of the porting workflows by @netty-project-bot in #16292
- Backport 4.1: Fix high-order bit aliasing in HttpUtil.validateToken by @netty-project-bot in #16303
- Auto-port 4.1: Support more branch freedom for auto-porting by @netty-project-bot in #16310
- fix: the precedence of + is higher than >> (#16312) by @chrisvest in #16316
- AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater th… by @chrisvest in #16320
- Auto-port 4.1: Fix flaky PooledByteBufAllocatorTest by @netty-project-bot in #16324
- Auto-port 4.1: Fix pooled arena accounting tests by @netty-project-bot in #16326
- Auto-port 4.1: Fix RunInFastThreadLocalThreadExtension by @netty-project-bot in #16328
- Auto-port 4.1: AdaptivePoolingAllocator: call
unreserveMatchingBuddy(...)ifbyteBufinitialization failed by @netty-project-bot in #16331 - Auto-port 4.1: Mark LoggingHandlerTest with @isolated to fix flaky build by @netty-project-bot in #16340
- Auto-port 4.1: Fix flaky HTTP/2 test by @netty-project-bot in #16348
- Auto-port 4.1: Fix flaky RenegotiateTest by @netty-project-bot in #16355
- Auto-port 4.1: Fix HTTP/2 push frame test by @netty-project-bot in #16353
- SSL test: Don't depend on property value in test (#16346) by @normanmaurer in #16362
- Auto-port 4.1: Don't assume CertificateFactory is thread-safe by @netty-project-bot in #16364
- AdaptivePoolingAllocator: assign a more explicit value to BuddyChunk.freeListCapacity (#16334) by @chrisvest in #16368
- Auto-port 4.1: Add more diagnostic points to PooledByteBufAllocatorTest.createNewThr… by @netty-project-bot in #16372
- Fix leak in SniHandlerTest (#16367) by @normanmaurer in #16377
- Auto-port 4.1: Stabilize AbstractByteBufTest.testBytesInArrayMultipleThreads by @netty-project-bot in #16373
- Remove reference counting from size classed chunks (#16306) by @chrisvest in #16379
- Auto-port 4.1: Stabilize AbstractByteBufTest.testToStringMultipleThreads by @netty-project-bot in #16384
- Fix HttpObjectAggregator leaving connection stuck after 413 with AUTO… by @samlandfried in #16280
- Auto-port 4.1: Fix autoport fetching into the existing branch - again by @netty-project-bot in #16417
- Auto-port 4.1: Capture why threads get stuck in testCopyMultipleThreads0 by @netty-project-bot in #16419
- Auto-port 4.1: Remove unnecessary array access in DefaultAttributeMap.orderedCopyOnInsert by @netty-project-bot in #16421
- Auto-port 4.1: Whitelist JMH annotation processing in microbench module by @netty-project-bot in #16430
- Auto-port 4.1: HTTP2: Ensure preface is flushed in all cases by @netty-project-bot in #16432
- Auto-port 4.1: Fix UnsupportedOperationException in readTrailingHeaders by @netty-project-bot in #16437
- Auto-port 4.1: Fix client_max_window_bits parameter handling in permessage-deflate extension by @netty-project-bot in #16435
- Auto-port 4.1: Native transports: Fix possible fd leak when fcntl fails. by @netty-project-bot in #16446
- Auto-port 4.1: Kqueue: Fix undefined behaviour when GetStringUTFChars fails and SO_ACCEPTFILTER is supported by @netty-project-bot in #16448
- Auto-port 4.1: Kqueue: Possible overflow when using netty_kqueue_bsdsocket_setAcceptFilter(...) by @netty-project-bot in #16459
- Auto-port 4.1: Native transports: Fix undefined behaviour when GetStringUTFChars fails while open FD by @netty-project-bot in #16456
- Auto-port 4.1: Epoll: Add null checks for safety reasons by @netty-project-bot in #16463
- Auto-port 4.1: DnsNameResolver: Skip test if we can not bind TCP and UDP to the same port by @netty-project-bot in #16464
- Auto-port 4.1: Epoll: Use correct value to initialize mmsghdr.msg_namelen by @netty-project-bot in #16467
- Auto-port 4.1: Epoll: Fix support for IP_RECVORIGDSTADDR by @netty-project-bot in #16468
- Auto-port 4.1: AdaptivePoolingAllocator: remove
ensureAccessible()call incapacity(int)method by @netty-project-bot in #16475 - Auto-port 4.1: AdaptivePoolingAllocator: Fix assertion for size class multiple of 32 by @netty-project-bot in #16497
- Epoll: setTcpMg5Sig(...) might overflow (#16511) by @normanmaurer in #16520
- Auto-port 4.1: JdkZlibDecoder: accumulate decompressed output before firing channelRead by @netty-project-bot in #16532
- Limit the number of Continuation frames per HTTP2 Headers by @normanmaurer in #13969
- Stricter HTTP/1.1 chunk extension parsing by @chrisvest in #16537
New Contributors
- @github-actions[bot] made their first contribution in #16274
- @samlandfried made their first contribution in #16280
Full Changelog: netty-4.1.131.Final...netty-4.1.132.Final
Contributors
chrisvest, isolated, and 3 other contributors