I am happy to announce the release of netty 4.1.61.Final, which beside fixing various bugs also contains a security fix which may affect you if you use the codec-http2
package and proxy HTTP/2 to HTTP/1.1. This fix is a follow up of the previous fix done as part of CVE-2021-21295 as we missed to handle one case.
For more details about the impact of the CVE (CVE-2021-21409) check the Security Advisory.
The most important changes are:
- Validate Content-Length header in HTTP/2 decoder (CVE-2021-21409)
- Add support for UDP_GRO (#11120)
- DefaultThreadFactory must not use Thread.currentThread() when constructed without ThreadGroup (#11119)
- Let’s use gcc10 when cross-compiling for LSE support (#11112)
- Allow to have an empty path when convert a CONNECT request (#11108)
- Ensure we can correctly propagate exceptions to streams even if endStream flag is set (#11105)
- Do not send GOAWAY frame before connection preface (#11107)
- Continue reading when the number of bytes is less then the configured number of bytes when using DatagramChannels (#11089)
- Allow to configure the maximum number of message to write per eventloop (#11086)
- SslHandler flushing with TCP Fast Open fix (#11077)
- Also support CompositeByteBuf with SegmentedDatagramPacket (#11081)
- Return correct result for Futures that are returned from UnorderedThreadPoolExecutor (#11074)
- Fix alignment handling for pooled direct buffers (#11106)
For the details and all changes, please browse our issue tracker for 4.1.61.Final.
Important notes
CVE-2021-21409 – request smuggling
This release fixes a possible security problem which have allowes for request smuggling, check the Security Advisory for more details.
GRO support for EpollDatagramChannel
This release also adds support for GRO (UDP_SEGMENT
) when using the native EpollDatagramChannel
and running on a system with a recent enough kernel. You can make use of this by using the EpollChannelOption.UDP_GRO
option.
For more detail on GRO please read the LWN article which explains how this can be used to maximize performance when using QUIC
.
LSE support for AARCH64
This release switched to use GCC10 for cross-compiling and so enable the usage of LSE when running on AARCH64. Using LSE can have a huge performance impact. For more details please read the MySQL on ARM blogpost.
Thank You
Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area.
Please report an unintended omission.
- @alalag1
- @Bennett-Lynch
- @carl-mastrangelo
- @chrisvest
- @doom369
- @ejona86
- @elharo
- @idelpivnitskiy
- @meshcow
- @normanmaurer
- @Scottmitch
- @stuartwdouglas
转自 https://netty.io/news/2021/03/30/4-1-61-Final.html