netty-4.1.135.Final
Security fixes
- CVE-2026-48059: memory exhaustion in
io.netty:netty-codec-haproxy(high). - CVE-2026-47691: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-50560: DDoS in
io.netty:netty-codec-http2. - CVE-2026-50011: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44250: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44890: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-44249: IPv6 subnet filter bypass in
io.netty:netty-handler(high). - CVE-2026-50020: request smuggling in
io.netty:netty-codec-http. - CVE-2026-44893: memory leak in
io.netty:netty-codec-haproxy(high). - CVE-2026-50010: TLS hostname verification accidentally disabled in
io.netty:netty-handler(high). - CVE-2026-45673: DNS cache poisoning in
io.netty:netty-resolver-dns. - CVE-2026-45416: excessive memory usage from SNIHandler in
io.netty:netty-handler(high). - CVE-2026-45536: file descriptor leak in
io.netty:netty-transport-native-epollandio.netty:netty-transport-native-kqueue. - CVE-2026-45674: DNS cache poisoning in
io.netty:netty-resolver-dns(high). - CVE-2026-46340: memory exhaustion in
io.netty:netty-transport-sctp(high). - CVE-2026-47244: denial of service in
io.netty:netty-codec-http2. - CVE-2026-48006: memory exhaustion in
io.netty:netty-codec-redis(high). - CVE-2026-48043: memory exhaustion in
io.netty:netty-codec-http2.
What's Changed
- Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in #16834
- ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in #16847
- HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in #16856
- HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in #16861
- IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in #16860
- Configurable bound on RedisArrayAggregator by @normanmaurer in #16858
- Redis: Limit decoded length by @normanmaurer in #16859
- DNS: Ensure query id is not predictible by @normanmaurer in #16870
- Wrapping plain trust manager silently disables hostname verification by @normanmaurer in #16868
- MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in #16852
- Fix revapi warnings (#16885) by @chrisvest in #16892
- HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in #16866
- SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in #16871
- DNS: Only cache CNAME if part of the queried domain by @normanmaurer in #16873
- HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in #16876
- Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in #16877
- HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in #16880
- Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in #16886
- HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in #16883
- Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in #16894
- HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in #16881
- Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in #16872
- SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in #16875
- Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in #16878
- Redis: Limit the maximum number of nested arrays by @normanmaurer in #16882
Full Changelog: netty-4.1.134.Final...netty-4.1.135.Final