java-packages/netty
SHA256
6
0
Fork 0
forked from pool/netty
Code Pull Requests Activity
Files
main
netty/netty.changes
Fridrich Štrba 0ccd0c3038 4.1.124
2025-08-22 08:14:12 +02:00

991 lines
44 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Fri Aug 22 05:25:09 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.124
* Fixes
+ MadeYouReset HTTP/2 DDoS vulnerability
(CVE-2025-55163, bsc#1247991)
+ Fix NPE and AssertionErrors when many tasks are scheduled and
cancelled
+ HTTP2: Http2ConnectionHandler should always use
Http2ConnectionEncoder
+ Epoll: Correctly handle UDP packets with source port of 0
+ Fix netty-common OSGi Import-Package header
+ MqttConnectPayload.toString() includes password
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
+ rediff
-------------------------------------------------------------------
Thu Jul 24 18:11:55 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upsteam version 4.1.123
* Fixes
+ Fix chunk reuse bug in adaptive allocator
+ More accurate adaptive memory usage accounting
+ Introduce size-classes for the adaptive allocator
+ Reduce magazine proliferation eagerness
+ Fix concurrent ByteBuffer access issue in
AdaptiveByteBuf.getBytes
+ Fix possible buffer corruption caused by incorrect
setCharSequence(...) implementation
+ AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes()
to take writerIndex() into account
+ Optimize capacity bumping for adaptive ByteBufs
+ AbstractDnsRecord: equals() and hashCode() to ignore name
field's case
+ Backport Unsafe guards
+ Guard recomputed offset access with hasUnsafe
+ HTTP2: Always produce a RST frame on stream exception
+ Correct what artifacts included in netty-bom
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
+ rediff
-------------------------------------------------------------------
Mon Jun 9 10:45:10 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.122
* Fixes of 4.1.122
+ DirContextUtils.addNameServer(...) should just catch Exception
internally
+ Make public API specify explicit maxAllocation to prevent OOM
+ Fix concurrent ByteBuf write access bug in adaptive allocator
+ Fix transport-native-kqueue Bundle-SymbolicNames
+ Fix resolver-dns-native-macos Bundle-SymbolicNames
+ Always correctly calculate the memory address of the ByteBuf
even if sun.misc.Unsafe is not usable
+ Upgrade lz4 dependencies as the old version did not correctly
handle ByteBuffer that have an arrayOffset > 0
+ Optimize ByteBuf.setCharSequence for adaptive allocator
+ Kqueue: Fix registration failure when fd is reused
+ Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as
level
+ Ensure OpenSsl.availableJavaCipherSuites does not contain null
values
+ Always prefer direct buffers for pooled allocators if not
explicit disabled
+ Update to netty-tcnative 2.0.72.Final
+ Re-enable sun.misc.Unsafe by default on Java 24+
+ Kqueue: Delay removal from registration map to fix noisy
warnings
* Fixes of 4.1.121
+ Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch
amd64
+ Fix transport-native-epoll Bundle-SymbolicNames
* Fixes of 4.1.120
+ Fix flawed termination condition check in
HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for
current InterfaceHttpData
+ Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and
decoderEnforceMaxRstFramesPerWindow
+ ThreadExecutorMap must restore old EventExecutor
+ Make Recycler virtual thread friendly
+ Disable sun.misc.Unsafe by default on Java 24+
+ Adaptive: Correctly enforce leak detection when using
AdaptiveByteBufAllocator
+ Add suppressed exception to original cause when calling
Future.sync*
+ Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2
settings
+ Correct computation for suboptimal chunk retirement
probability
+ Fix bug in method
AdaptivePoolingAllocator.allocateWithoutLock(...)
+ Fix a Bytebuf leak in TcpDnsQueryDecoder
+ SSL: Clear native error if named group is not supported
+ WebSocketClientCompressionHandler shouldn't claim window bits
support when jzlib is not available
+ Fix the assignment error of maxQoS parameter in ConnAck
Properties
* Fixes of 4.1.119
+ Replace SSL assertion with explicit record length check
+ Fix NPE when upgrade message fails to aggregate
+ SslHandler: Fix possible NPE when executor is used for
delegating
+ Consistently add channel info in HTTP/2 logs
+ Add QueryStringDecoder option to leave '+' alone
+ Use initialized BouncyCastle providers when available
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
+ rediff
-------------------------------------------------------------------
Thu Mar 27 22:03:11 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Fix pom.xml errors that will be fatal with Maven 4
-------------------------------------------------------------------
Tue Feb 11 14:38:06 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.118
* Fixes of 4.1.118
+ SslHandler doesn't correctly validate packets which can lead
to native crash when using native SSLEngine (bsc#1237037,
CVE-2025-24970)
+ Denial of Service attack on windows app using Netty, again
(bsc#1237038, CVE-2025-25193)
+ Upgrade netty-tcnative to 2.0.70.Final
+ Fix recycling in CodecOutputList
+ Allocate bytebuf without magazine lock when threads get
collisions
+ Make StreamBufferingEncoder not send header frame with
priority by default
+ Notify event loop termination future of unexpected exceptions
+ KQueueEventLoop leaks memory on shutdown
+ Fix AccessControlException in GlobalEventExecutor
+ Fix possible buffer leak when stream can't be mapped
+ AdaptivePoolingAllocator: Round chunk sizes up to
MIN_CHUNK_SIZE units and reduce chunk release frequency
* Fixes of 4.1.117
+ Fix classloader leaks in GlobalEventExecuto
+ Support BouncyCastle FIPS for reading PEM files
+ Dns: Correctly encode DnsPtrRecord
+ Provides Brotli settings without com.aayushatharva.brotli4j
dependency
+ Make DefaultResourceLeak more resilient against OOM
+ OpenSslSession: Add support to defensively check for peer
certs
+ Reentrant close in EmbeddedChannel
+ SslHandler: Ensure buffers are never leaked when wrap(...)
produce SSLException
+ Adaptive: Only use ThreadLocal if called from
FastThreadLocalThread in case of temporary byte[] allocation
+ Correcly handle comments appended to nameserver declarations
* Fixes of 4.1.116
+ PcapWriteHandler no longer ignores writePcapGlobalHeader
+ Allow PcapWriteHandler to output PCAP files larger than 2GB
+ Fix bugs in BoundedInputStream
+ AdaptiveByteBufAllocator will not use threadlocal magazine if
FastThreadLocalThread.willCleanupFastThreadLocals() returns
false
+ Fix HTTP header validation bug
+ Add range check for
AdaptivePoolingAllocator.CENTRAL_QUEUE_CAPACITY and
MAGAZINE_BUFFER_QUEUE_CAPACITY
+ Fix possible race condition in method
AdaptivePoolingAllocator.offerToQueue(...)
+ Make sure the sentinel Magazine.MAGAZINE_FREED not be replaced
+ Decrease usedMemory of magazine when the chunk get deallocate
+ Only try to use Zstd and Brotli if we can load the native libs
+ AdaptiveByteBufAllocator: Correctly manage used memory
strategy in all cases
+ Bump BlockHound version to 1.0.10.RELEASE
+ Add details to TooLongFrameException message
+ Adapt: Only add Chunk to central Queue if unused
+ Adapt: Don't fail when we run on a host with 1 core
+ Adapt: Ensure Chunks from the central Queue are re-used even
if there are Magazine local cached Chunks
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
+ rediff
-------------------------------------------------------------------
Thu Dec 5 12:48:41 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.115
* Fixes:
+ Allow MessageToMessageDecoder to take care of reading more
data when needed
+ Fix SSL session resumption with ClientAuth.OPTIONAL and add
tests with session tickets
+ Fix incorrect cast in NioDomainSocketChannel.parent()
+ Fix bug where SslHandler may stall after TLSv1.3 handshake
with delegate tasks
+ AdaptiveByteBufAllocator: Make pooling of AdaptiveByteBuf
magazine local
+ Specialize Adaptive's allocator Recycler based on magazine's
owner
+ Fix epoll_wait retry loop
+ Log / include the correct error during handshake failure
+ Convey autoAckPing in http2 decoder constructor chain
+ Allow to set used named groups per OpenSslContext
+ Verify default named groups before using them with native SSL
implementation
+ Include details on why it was not possible to configure
accepted issuers in the SSLException
+ Correctly detect if KeyManager is not supported by OpenSSL
version
+ Preserve ordering of default named groups during conversation
+ Denial of Service attack on windows app using netty
(bsc#1233297, CVE-2024-47535)
- Split the netty-poms package in netty-parent and netty-bom
- Modified patch:
* 0001-Remove-optional-dep-Blockhound.patch
+ rediff
-------------------------------------------------------------------
Wed Nov 27 07:45:09 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Clean a bit the spec file and adapt to the recent changes in
netty-tcnative package
- Removed patches:
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
+ remove the annotations with a macro in the jurand tool
* 0007-Do-not-require-the-tcnative-native-library.patch
+ we are building now the artifact, so we can require it
-------------------------------------------------------------------
Wed Oct 30 14:29:44 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.114
* Fixes of 4.1.114:
+ Validate HTTP Method
+ Release AdaptiveByteBuf when ownership could not be transfered
+ Make arenas reuse their last chunk more aggressively
+ Only add Magazine to Set if we can ensure its removed again
+ Ensure Chunk will not leak if init of AdaptiveByteBuf fails
for whatever reason
+ Correctly release one-off allocated chunks
+ Ensure pooled memory is released when
AdaptivePoolingAllocator is GC'ed
+ Slices / duplicates of AdaptiveByteBuf must not escape the
rootParent
+ Fix sizeBucket bug in AdaptivePoolingAllocator
+ AdaptiveByteBufAllocator: More strict reference counting for
chunks
+ Ensure we not store the DnsQueryContext for later removal when
we couldnt obtain a query id
+ Reduce memory fragmentation
+ Properly free magazine chunks and avoid orphaned magazines
+ Magazines must be freed under the expand lock
+ Release message before failing promise when multiple requests
are written while upgrade is in progress.
+ Allow to reuse more then one session per host / port mapping
+ Ensure writes will not fail when triggered after receiving
UpgradeEvent.UPGRADE_SUCCESSFUL
+ Refactor DnsNameResolver to be able to use different
strategies when it comes to creating Channels for queries.
+ DnsNameResolver: allow users to skip bind() during bootstrap
+ DnsResolverBuilder methods should make it clear that these are
for DatagramChannel
* Fixes of 4.1.113:
+ feat: Support for IP_BIND_ADDRESS_NO_PORT socket option
+ Ensure AbstractCoalescingBufferQueue does not end up in
inconsistent state on error
+ Add new SslHandler.isEncrypted(...) variant that will not
produce false positives
+ Ensure flushes are not discarded by ChunkedWriteHandler for
passed through messages
+ Remove reference to parent in recycled buffers for leak
detection
+ Upgrade to netty-tcnative 2.0.66.Final
+ Cleanup fields on AdaptiveByteBuf::deallocate
* Fixes of 4.1.112:
+ Avoid unnecessary reflective probes on netty initialization
+ Allow control frames between fragments
+ Only delete the socket file for NioServerDomainSocketChannel
+ Add check for IPv6 brackets when address is unresolved
+ fix ResolvConf initialization with SecurityManager enabled
+ Fix potential DNS cache invalidation in
ResolveWithDotSearchDomain scenario
+ Backport the SslContextBuilder.endpointIdentificationAlgorithm
method
+ Aggressively remove PoolThreadCache references from its
finalizer object
+ Send Http2PriorityFrame through fireUserEventTriggered for
Http2MultiplexHandler
+ Fix potential DNS cache invalidation across different
EventLoops
+ Reject http header values with non SP / HTAB chars
+ Don't strip whitespaces from header names and let the
validator handle it
+ Reject request if NUL is present in the request line
+ Allow HTTP responses without reason-phrase
+ Validate HTTP version while decoding
+ Only include scopeId on link-local addresses when using native
transport
* Fixes of 4.1.111:
+ ReadOnlyByteBufferBuf | ReadOnlyUnsafeDirectByteBuf get, copy,
duplicate, slice methods should be safe to be called from
multiple threads
+ ReadyOnlyBuf must return false for isWritable() when sliced or
duplicated
+ ReadOnlyByteBuf (and sub-classes) does not create derived
buffers that share reference count
+ ByteBuf.asReadOnly().nioBuffer*() need to return read-only
ByteBuffer
+ Remove unwanted mandatory dependency in OSGi
+ HashedWheelTimer.stop() must cancel tasks
+ ZSTD decompression not resilient to compression bombs
+ Duplicate of slice should have the same capacity as the
original slice so that it's not writable
+ Optimize wrap buffer cumulation in SslHandler and don't mutate
input buffers
+ Prepare for unsafe memory access deprecated for removal
+ Fix AdaptiveByteBufAllocator class loading on Java 6/7
+ Add missing NULL checks in native code
* Fixes of 4.1.110:
+ Add unix domain socket transport in netty 4.x via JDK16+
+ Backport #13075: Add the AdaptivePoolingAllocator
+ Add no-value key handling only for form body
+ Add support for specifying SecureRandom in SSLContext
initialization
* Fixes of 4.1.109:
+ Utilize ByteBuf#indexOf
+ Don't send a RST frame when closing the stream in a write
future while processing inbound frames
+ Fix DefaultChannelId#asLongText NPE
+ Fix voidPromise in Http2FrameCodec.writeHeadersFrame
+ Make /etc/resolv.conf reading more robust
+ Fix NioSocketChannel usage in graalvm native-image
+ Improve ByteBufUtil#firstIndexOf
+ Rewrite ZstdDecoder to remove the need of allocate a huge
byte[] internally
+ Always log registered/detected ChannelInitializerExtension(s)
at INFO level
+ Enhance AsciiString#toLowerCase and AsciiString#toUpperCase
+ Add support for zstd http content decompression
+ Save Snappy's encode tmp table allocation
- Regenerated patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
-------------------------------------------------------------------
Tue Sep 24 22:27:37 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
- Add reproducible.patch to omit the mtime from libnetty-unix-common.a
for reproducible builds (boo#1047218)
-------------------------------------------------------------------
Wed Mar 27 13:17:21 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.108
* Fixes of 4.1.108:
+ HttpPostRequestDecoder can OOM (bsc#1222045, CVE-2024-29025)
+ Add zstd decoder
+ Updated HTTP2 Reader to fix missing header state
+ codec-http2: fix some frame validation errors
+ SSL: Only wrap TrustManager if FIPS is not used
+ Epoll: Correctly handle splice tasks when Channel is closed
+ Allow to cancel connect() operations when using non-blocking
IO
+ DNS resolver final CNAME lookup disabled
+ DNS: Add DnsRecordType definitions for SVCB and HTTPS
+ SSL: Only try to use TLSv1.3 if a compatible ciphersuite is
configured
+ Backport 'Fix buffer leak in DefaultHttp2HeadersEncoder' to v4
+ SSL: Hold the right monitor while running delegating task
+ SSL: Execute SSL_do_handshake(...) after task is run to ensure
SSLEngine.getHandshakeStatus() returns the correct value all
the time
+ Add active flag to EpollServerDomainSocketChannel fd
constructor
+ Epoll: Fix possible Classloader deadlock caused by loading
class via JNI
+ Prefer /etc/resolv.conf on Linux and Mac
+ Handle invalid cookie value
+ Upgrade to latest tcnative release
+ ByteToMessageDecoder.channelReadComplete(...) does call read()
too often
+ Remove the lock usage in PoolArena#numPinnedBytes()
+ Fix x-www-form-urlencoded parsing for no-value key
(re-submission)
* Fixes of 4.1.107:
+ Speedup pseudoheader lookup
+ Add support for the Partitioned attribute in cookies
+ Reduce HTTP 1.1 Full msg pipeline traversals
+ DnsNameResolver: Add DnsQueryIdSpace class to reduce overhead
while generating IDs
+ Fix copy-paste mistake in
LazyX509Certificate.getIssuerAlternativeNames()
+ HTTP2: lastStreamCreated() does return the wrong value when
all stream ids were used
+ HTTP2: Update local window should not fail queued frames
+ DnsNameResolver: Allways call bind() during bootstrap
+ HTTP: HttpObjectDecoder must not use HTTPMessage once it is
passed to the next handler in the ChannelPipeline
+ Ensure key / values are shared between resumed sessions
+ SSLSession.getLastAccessedTime() and getCreationTime() should
not be equal when session is reused
+ Snappy: Use unsigned short to handle 2 ^ 16 input size instead
of 2 ^ 15
* Fixes of 4.1.106:
+ HTTP2: Prevent sharing the index of the continuation frame
header ByteBuf.
+ DnsNameResolver: Fail query if id space is exhausted
+ Short-circuit ByteBuf::release
* Fixes of 4.1.105:
+ Fix exception on HTTP chunk size overflow
+ Default value of MAX_MESSAGES_PER_READ not used for native
DatagramChannels
+ Redo fix scalability issue due to checkcast on context's
invoke operations
+ Be able to retry the query via TCP if a query failed because
of a timeout
+ Save HTTP 2 pseudo-header lower-case validation
+ DnsNameResolver: Limit connect timeout to query timeout
+ h2: propagate stream close without read pending, avoid SOOE
if !autoRead
* Fixes of 4.1.104:
+ dyld: Symbol not found: _netty_jni_util_JNI_OnLoad
* Fixes of 4.1.103:
+ Workaround for regex bug in Android SDK
+ Use Http2Headers.size() instead of isEmpty()
+ Add support for RISC-V
* Fixes of 4.1.101:
+ Add service-loaded extension points for channel initialization
+ Added check for pseudo-headers in trailers
+ Automatically close Http2StreamChannel when
Http2FrameStreamExceptionreaches end ofChannelPipeline
+ Throwing a stackless exception if RST_FRAME rate is exceeded
+ Only enable the RST limit for servers by default
+ Change default value of MAX_MESSAGES_PER_READ for
DatagramChannel implementations
+ Descriptive message for errors related to unknown http2
streams
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
+ rebase
-------------------------------------------------------------------
Wed Feb 21 10:52:04 UTC 2024 - Gus Kenion <gus.kenion@suse.com>
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Thu Oct 12 15:12:00 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.100
* Fixes of 4.1.100:
+ DDoS vector in the HTTP/2 protocol due RST frames
(bsc#1216169, CVE-2023-44487)
+ Do not fail when compressing empty HttpContent
* Fixes of 4.1.99:
+ Do not try to delete a global handle with the local handles
APIs
+ Enable build with JDK21
+ dyld: lazy symbol binding failed: Symbol not found:
_netty_jni_util_JNI_OnLoad
* Fixes of 4.1.98:
+ Revert "HttpHeaderValidationUtil should reject chars past the
1 byte range"
+ Filter out unresolved addresses when parsing resolv.conf
+ Prevent classloader leak via JNI
+ SSLSession.getPeerCertificateChain() should throw
UnsupportedOperationException if javax.security.cert
.X509Certificate can not be created
+ Enable client side session cache when using native SSL by
default
* Fixes of 4.1.97:
+ Fixing AsciiString#lastIndexOf To Respect The offset
+ Add support for snappy http2 content decompression
+ Add support for password-based encryption scheme 2 params
+ HttpHeaderValidationUtil should reject chars past the 1 byte
range
+ Honor SslHandler.setWrapDataSize greater than SSL packet
length
+ Add support for snappy http content encoding
* Fixes of 4.1.96:
+ Move the PoolThreadCache finalizer to a separate object
+ Fix kevent(..) failed: Invalid argument
+ Revert "Always increment Stream Id on createStream" to fix bug
which caused sending multiple RST frames for the same id
* Fixes of 4.1.95
+ Add resource leak listener
+ Reduce object allocations during SslHandler.flush(...)
+ Ensure ByteBuf.capacity(...) will never throw AssertionError
+ Make transport.Bootstrap usable with no netty-resolver on
classpath
+ Correctly retain slice when calling
ReplayingDecoderByteBuf.retainedSlice(...)
+ Always increment Stream Id on createStream(...)
+ Fix BrotliEncoder bug that does not mark ByteBuf it encodes a
read
+ Enhance CertificateException message when throw due hostname
validation
- Rebased patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
-------------------------------------------------------------------
Wed Sep 13 04:55:29 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Reproducible builds: use SOURCE_DATE_EPOCH for timestamp
-------------------------------------------------------------------
Fri Jun 23 08:44:41 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.94
* Fixes of 4.1.94:
+ Respect offset in
io.netty.util.NetUtil#toAddressString(byte[], int, boolean)
+ Skip finalization for PoolThreadCache instances without
small/normal caches
+ Use network byte order when encoding ipv4 address and port
for Socks codecs
+ Call ReleaseByteArrayElements even when handling of
socket_path fails to fix small mem leak
+ Always enable leak tracking for derived buffers if parent is
tracked
+ Release DnsRecords when failing to notify promise
+ Delay possibility to reuse transaction id when query is
failing because of timeout or cancellation
+ Implement contains for SelectedSelectionKeySet
+ Use Two-Way for finding the delimiter in
DelimiterBasedFrameDecoder
+ Obtain the local address from the fd when the client connects
only with remote address (UDS)
+ Allow to limit the maximum lenght of the ClientHello
(bsc#1212637, CVE-2023-34462)
* Fixes of 4.1.93:
+ Reset byte buffer in loop for AbstractDiskHttpData.setContent
+ OpenSSL MAX_CERTIFICATE_LIST_BYTES option supported
+ Adapt to DirectByteBuffer constructor in Java 21
+ HTTP/2 encoder: allow HEADER_TABLE_SIZE greater than
Integer.MAX_VALUE
+ Upgrade to latest netty-tcnative to fix memory leak
+ H2/H2C server stream channels deactivated while write still
in progress
+ Channel#bytesBefore(un)writable off by 1
+ HTTP/2 should forward shutdown user events to active streams
+ Respect the number of bytes read per datagram when using
recvmmsg
* Fixes of 4.1.92:
+ Make Recycler faster on OpenJ9
+ Allow to change the limit for the maximum size of the
certificate chain.
+ Guard against unbounded grow of suppressed exceptions storage
+ Release websocket handshake response if pipeline checks fail
+ Add support for local and remote addresses on the server for
child channels when UDS
+ Http types slow path checks
* Fixes of 4.1.91:
+ Fire a PrematureChannelClosureException when Channel is closed
while aggregating is still in progress
+ Connect without password if server returns NO_AUTH when using
Socks5
+ Use optional resolution of sun.net.dns
+ Introduce Http2MultiplexActiveStreamsException that can be
used to propagate an error to all active streams
+ Use the correct error when reset a stream
+ Update: Add snappy support on HttpContentDecoder
+ Don't unwrap multiple records until we notified the caller
about the finished handshake
+ Handle EHOSTUNREACH errors in io.netty.channel.unix.Errors
- Depend on netty-tcnative >= 2.0.60 for SSLContext.setMaxCertList
method.
- Rebased patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
-------------------------------------------------------------------
Thu Mar 30 16:49:51 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream version 4.1.90
* Fixes of 4.1.90:
+ Adding header name of the header which failed validation
+ Fix HttpHeaders.names for non-String headers
+ Save expensive volatile operations in the common hot http
decoder path
+ Avoid slow type checks against promises on outbound buffer's
progress
+ Implement NonStickyEventExecutorGroup.inEventLoop
+ Native image: add support for unix domain sockets
+ Use MacOS SDK 10.9 to prevent apple notarization failures
+ Increase errno cache and guard against IOOBE
+ Don't reset BCSSLParameters when setting application protocols
+ WebSocketClientProtocolHandler: add option to disable UTF8
validation
+ Chunked HTTP length decoding should account for
whitespaces/ctrl chars
+ Handle NullPointerException thrown from
NetworkInterface.getNetworkInterfaces()
* Fixes of 4.1.89:
+ Don't fail on HttpObjectDecoder's maxHeaderSize greater then
(Integer.MAX_VALUE - 2)
+ dyld: Symbol not found: _netty_jni_util_JNI_OnLoad when
upgrading from 4.1.87.Final to 4.1.88.Final
* Fixes of 4.1.88:
+ Speed-up HTTP 1.1 header and line parsing
+ Add StacklessSSLHandshakeException for ClosedChannelException
+ Modify changed CloseWebSocketFrame#statusCode() to change the
fetch code to unsigned
+ Check if CommandLineTools are installed before trying to
execute install_name_tool
+ Allow to adjust the GlobalEventExecutor quietPeriod via a
system property
+ Add SslProvider.isOptionSupported(...)
+ Fix FlowControlHandler's behaviour to pass read events when
auto-reading is turned off
+ Ensure Http2StreamFrameToHttpObjectCodec#decode doesn't add
transfer-encoding for 204/304 response
+ Only do extra CNAME query if we couldnt follow the whole CNAME
chain in the response
+ Include query id when a query failed
+ DnsResolveContext: include expected record types in exception
message
+ Add necessary native-image configuration files for epoll
+ Create a deep-copy of the Throwable before returning it from
the cache to prevent possible leaks
+ Always respect completeOncePreferredResolved in
DnsNameResolver
+ fix brotli compression
+ Optionally depend on bctls-jdk15on
+ Make releasing objects back to Recycler faster
+ Correctly keep track of validExtensions per request / response
+ Add handling of inflight lookups to reduce real queries when
lookup same hostname
+ DnsQueryContext: include query id and question info in
exception message
+ AsciiStrings can be batch-encoded
* Fixes of 4.1.87:
+ Upgrade to latest netty-tcnative release which doesnt link
libcrypt
+ Add recvmmsg & sendmmsg syscall number for loongarch64
+ Return correct value from SSLSession.getPacketSize() when
using native SSL implementation
+ Explicit disable TLSv1.3 in the OpenSSL options if not
supported
+ Support handshake timeout in SniHandler.
+ Extend DNS address supplier interface to provide feedback
* Fixes of 4.1.86:
+ HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360,
CVE-2022-41881)
+ HTTP Response splitting from assigning header value iterator
(bsc#1206379, CVE-2022-41915)
+ Revert #12888 for potential task scheduling problems in
HashedWheelTimer
+ Deprecate ObjectEncoder/ObjectDecoder
+ HPACK dynamic table size update must happen at the beginning
of the header block
* Fixes of 4.1.85:
+ A bug in FlowControlHandler that broke auto-read has been
fixed
+ The HTTP/2 HPACK encoder is now faster at encoding headers
that have many values
+ A potential memory leak bug has been fixed in the pooled
allocator
+ Fix an issue with the Blockhound integration, which could
cause the MacOSDnsServerAddressStreamProvider to be flagged
as making blocking calls
+ Inconsitencies in how epoll, kqueue, and NIO handle RDHUP have
been fixed
+ ByteToMessageDecoder now handle situations where the same
ByteBuf instance is read multiple times
+ The check that ensures the HTTP/1 Content-Length header is
unique, now no longer causes headers to be rearranged (change
their order)
+ Fix a NullPointerException bug with class initialisation order
between InternalLogger and InternalThreadLocalMap
+ When the netty-resolver-dns-native-macos classes can't load
their native bindings, they now only print a short error
message instead of the huge stack trace it printed previously.
The stack trace is still included if DEBUG logging is enabled
+ The Graal native-image meta-data is now placed in the
recommended location, and no longer causes warnings to be
printed
+ The HTTP/1 and HTTP/2 codecs now properly support RFC 8297
Early Hints
+ Subclasses of FastThreadLocalThread can now tell the Netty
Blockhound integration that they should be allowed to make
blocking calls
+ Validation of HTTP/2 connection headers have been moved from
Http2Headers to HpackDecoder, so that outgoing headers are
not validated
* Fixes of 4.1.84:
+ HTTP/2 header values with invalid characters are now rejected
in header validation
+ We now automatically generate conditional meta-data for
native-image use, making GraalVM support more reliable
+ Fix a scalability issue caused by instanceof and check-cast
checks that lead to false-sharing on the
Klass::secondary_super_cache field in the JVM
(See JDK-8180450)
+ Made the HTTP/2 HPACK static table implementation faster by
using a perfect hash function
+ Fixed a bug in our PEMParser when PEM files have multiple
objects, and BouncyCastle is on the classpath
* Fixes of 4.1.82:
+ Fix a NullPointerException bug when calling forEachByte on
nested CompositeByteBufs
+ Relax an overly strict HTTP/2 header validation check that was
rejecting requests from Chrome and Firefox
+ The OpenSSL and BoringSSL implementations now respect the
jdk.tls.client.protocols and jdk.tls.server.protocols system
properties, making them react to these in the same way the JDK
SSL provider does
* Fixes of 4.1.81:
+ Fix a regression SslContext private key loading
+ Fix a bug in SslContext private key reading fall-back path
+ Fix a buffer leak regression in HttpClientCodec
+ Fix a bug where some HttpMessage implementations, that also
implement HttpContent, were not handled correctly
+ The MessageFormatter and FormattingTuple classes are now
usable in the public API
+ Connection related headers in HTTP/2 frames are now rejected,
in compliance with the specification
* Fixes of 4.1.80:
+ HttpObjectEncoder scalability issue due to instanceof checks
+ Improve logging when MacOSDnsServerAddressStreamProvider
cannot be found/loaded
+ Replace stdlib write/read with send/recv
+ Support for pkcs1
+ Add Blockhound exceptions for the PooledByteBufAllocator
+ Fix epoll bug when receiving zero-sized datagrams
+ Avoid including header values in header validation failure
exceptions
+ Avoid allocating large buffers in JdkZlibEncoder
+ Native Image Support: Set
IS_EXPLICIT_TRY_REFLECTION_SET_ACCESSIBLE to true by default
for native images
+ We need to use disconnectx(...) on macOS
+ Replace synchronized with Java Locks on the allocator
+ Don't use static instances of FixedRecvByteBufAllocator
+ Add escaping for stomp headers
* Fixes of 4.1.79:
+ The PEM certificate parser is no longer susceptible to
exponential back-off
+ Non-standard extra ampersands in HTTP POST bodies are no
longer rejected
+ An io.netty.osClassifiers system property has been added to
avoid reading os-release files
+ Fix a bug in SslHandler so handlerRemoved works properly even
if handlerAdded throws an exception
+ Use the correct OSGi processor directive on aarch64, making it
possible to use OSGi on ARM
+ HTTP paths that begin with a double-slash are now parsed the
same way browsers do
+ The isCompleted flag is now correctly preserved on objects
from HttpData.retainedDuplicate()
+ The HttpUtil.isOriginForm() and isAsteriskForm() methods now
correctly conform with RFC 7230
+ Fix an issue that allowed the multicast methods on
EpollDatagramChannel to be called outside of an event-loop
thread
+ Support for the LoongArch64 processor architecture has been
added
* Fixes of 4.1.78:
+ Fix a bug where an OPT record was added to DNS queries that
already had such a record
+ Fix a bug that caused an error when files uploaded with HTTP
POST contained a backslash in their name
+ Fix an issue in the BlockHound integration that could
occasionally cause NetUtil to be reported as performing
blocking operations
+ A similar BlockHound issue was fixed for the JdkSslContext
+ Fix a bug that prevented preface or settings frames from
being flushed, when an HTTP2 connection was established with
prior-knowledge
+ Fixes a rare NullPointerException that could occur when a
ReferenceCountedOpenSslEngine threw an OutOfMemoryError from
its constructor, and was then later finalized
+ The SslHandler now adds the socket file descriptor to the
BIOs, when the SslEngine supports this (boringssl and
libressl), which allow tracing and observability tools to
monitor encryption traffic on a per-connection basis.
+ It is now possible to explicitly step the scheduling clock in
EmbeddedEventLoop, which is useful for making automated tests
with deterministic scheduling
* Fixes of 4.1.77:
+ Local Information Disclosure Vulnerability in Netty on
Unix-Like systems due temporary files for Java 6 and lower in
io.netty:netty-codec-http (bsc#1199338, CVE-2022-24823)
+ Upgraded the optional netty-tcnative dependency to version
2.0.52.Final
+ Fix a bug where Netty fails to load a shaded native library
+ Include classifier in Automatic-Module-Name
+ Check if epoll_pwait2 is implemented
+ Don't call strdup on packagePrefix
+ Enable debugging of asynchronous tasks in Intellij
+ Throwing an exception in case glibc is missing instead of
segfaulting the JVM
* Fixes of 4.1.76:
+ Upgraded the optional netty-tcnative dependency to version
2.0.51.Final
+ Upgraded the optional log4j dependency to version 2.17.2
+ The netty-all module now declare an automatic module name,
making it useable with Java Modules.
+ It is now possible to configure arbitrary socket options for
the native epoll and kqueue transports. Refer to your
operating system documentation for what options are available.
+ It is now possible to explicitly bind channels to either IPv4
or IPv6.
+ The HTTP/2 header validation that rejects duplicate
pseudo-headers, which was added in 4.1.75.Final, has been
changed so it no longer breaks older versions of gRPC.
" Fix a NullPointerException that was hiding the real cause of
certain HTTP/2 header decoding errors.
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* no-brotli-zstd.patch
-> 0004-Disable-Brotli-and-ZStd-compression.patch
* no-werror.patch
+ rebase
- Removed patches:
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
+ we have the dependencies, so no need to disable them
* 0006-revert-Fix-native-image-build.patch
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch
+ solve the build breakages differently
- Added patches:
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
+ do not use annotations for which we don't have dependencies
* 0007-Do-not-require-the-tcnative-native-library.patch
+ our tcnative library is installed system-wide
-------------------------------------------------------------------
Thu Oct 13 11:21:47 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Force building with java 11 on ix86 in order to avoid random
build failures
-------------------------------------------------------------------
Fri Apr 8 07:27:55 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Upgrade to latest upstream version 4.1.75
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
* 0006-revert-Fix-native-image-build.patch
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch
+ rebase
-------------------------------------------------------------------
Tue Feb 22 18:27:07 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Do not build against the log4j12 packages
-------------------------------------------------------------------
Tue Dec 14 06:31:10 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to latest upstream version 4.1.72
* fixes: bsc#1190610, CVE-2021-37136: Bzip2Decoder doesn't allow
setting size restrictions for decompressed data
* fixes: bsc#1190613, CVE-2021-37137: SnappyFrameDecoder doesn't
restrict chunk length any may buffer skippable chunks in an
unnecessary way
* fixes: bsc#1193672, CVE-2021-43797: possible HTTP request
smuggling due to insufficient validation against control
characters
* fixes: bsc#1184203, CVE-2021-21409: request smuggling via
content-length header
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
* 0006-revert-Fix-native-image-build.patch
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch
* no-werror.patch
+ rediff to changed context
- Added patch:
* no-brotli-zstd.patch
+ disable Brotli and Zstd compression, since we lack
the dependencies needed to build them
-------------------------------------------------------------------
Fri Mar 12 08:31:56 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to latest upstream version 4.1.60
* fixes: bsc#1183262, CVE-2021-21295: HTTP/2 request
Content-Length header field is not validated by
'Http2MultiplexHandler'
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
* 0006-revert-Fix-native-image-build.patch
+ rediff to changed context
- Added patch:
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch
+ revert optional disabled cache implementation that conflicts
with our 0004-Remove-optional-dep-tcnative.patch
-------------------------------------------------------------------
Thu Feb 11 12:00:22 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to latest upstream version 4.1.59
- Removed patches:
* netty-CVE-2020-11612.patch
* netty-CVE-2021-21290.patch
+ fixes integrated in the upstream sources
* 0001-Remove-OpenSSL-parts-depending-on-tcnative.patch
* 0002-Remove-NPN.patch
* 0003-Remove-conscrypt-ALPN.patch
* 0004-Remove-jetty-ALPN.patch
+ replaced by new patches
- Added patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
+ remove various optional dependencies that we do not need
* 0006-revert-Fix-native-image-build.patch
+ Revert changes that introduce a new dependency that we
do not have
* no-werror.patch
+ Do not treat warnings as errors
- Build -poms and -javadoc as noarch packages, since they do not
install anything in arch-dependent directories
-------------------------------------------------------------------
Thu Feb 11 09:20:25 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* netty-CVE-2021-21290.patch
+ bsc#1182103, CVE-2021-21290
-------------------------------------------------------------------
Thu Apr 9 07:54:00 UTC 2020 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* netty-CVE-2020-11612.patch
+ bsc#1168932, CVE-2020-11612
+ bsc#1169082, CVE-2020-10707
-------------------------------------------------------------------
Thu Jan 9 15:14:41 UTC 2020 - Fridrich Strba <fstrba@suse.com>
- Split pom-only artifacts into a subpackage netty-pom in order
to generate their dependencies correctly
-------------------------------------------------------------------
Wed Nov 13 19:18:57 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Initial packaging of netty 4.1.13
View Git Blame Copy Permalink