Skip to content

Releases: netty/netty

netty-4.1.136.Final

Choose a tag to compare

@normanmaurer normanmaurer released this 08 Jul 20:18

What's Changed

Full Changelog: netty-4.1.135.Final...netty-4.1.136.Final

netty-4.2.16.Final

Choose a tag to compare

@chrisvest chrisvest released this 07 Jul 00:23

What's Changed

  • Document Java 9 requirement for io_uring by @jchambers in #16904
  • Add BlockHound exception for DnsQueryIdSpace by @violetagg in #16896
  • Fix incorrect bounds in error message of HpackDecoder.setMaxHeaderListSize by @skyguard1 in #16901
  • Add epoch-based chunk cache purge with ring buffer for thread-local reuse by @franz1981 in #16766
  • Use Splittable/ThreadLocalRandom to generate bulk data in tests by @chrisvest in #16808
  • Auto-port 4.2: SingleThreadEventExecutor: document Throwable safety contract on run() by @netty-project-bot in #16909
  • Auto-port 4.2: Make HTTP/2 frame hashCode consistent with equals by @netty-project-bot in #16910
  • Auto-port 4.2: MQTT: Make the decodeProperties early-REPLAY check actually fire by @netty-project-bot in #16919
  • IoUring: fix io_uring datagram writes with non-zero readerIndex by @dreamlike-ocean in #16905
  • Exclude internal events from IoHandler.run() return value in epoll, io_uring and kqueue by @franz1981 in #16848
  • IoUring: Pass IORING_ENTER_NO_IOWAIT to report accurate CPU usage by @wineway in #16739
  • Avoid logging exceptions that tests ignore by @chrisvest in #16891
  • Reject control characters at the boundary of HTTP method names by @daguimu in #16723
  • IoUring: fix TCP Fast Open initial writes with readerIndex and composites by @dreamlike-ocean in #16929
  • Try to fix/stabilize a number of flaky tests by @chrisvest in #16934
  • Fix propagation of startTls for client SslContext handlers by @skyguard1 in #16931
  • Update to latest tcnative release by @normanmaurer in #16936
  • Move test to shared testsuite by @normanmaurer in #16928
  • [Refactor] Useful helper method getOrDefault & cleaner abstraction by @sanjomo in #16927
  • Make permessage-deflate server window size and memLevel configurable by @fru1tworld in #16809
  • Return early in DnsQueryContext.writeQuery when the query ID space is exhausted by @HwangRock in #16950
  • Fix HTTP 2 PUSH_PROMISE stream association validation by @skyguard1 in #16952
  • Fix GZIP FEXTRA extra-field handling in JdkZlibDecoder by @daguimu in #16951
  • Http3FrameCodec handle fragmented payloads when skipping unknown frames by @skyguard1 in #16960
  • Add opt-in validation of mandatory pseudo-header fields for HTTP/2 by @hyperxpro in #16932
  • Strictly validate MQTT UTF-8 Encoded String by @skyguard1 in #16939
  • Stop DateFormatter trailing token from running past the parse end by @daguimu in #16958
  • IpFilter: Deprecate constructor which use accept by default by @normanmaurer in #16961
  • Add RFC 10008 QUERY Method support by @desiderantes in #16966
  • Correctly release and fail queued traffic-shaping writes on close by @skyguard1 in #16959
  • Reject control characters at the boundary of the HTTP version token by @HwangRock in #16971
  • FlowControlHandler: respect auto-read when toggled while dequeueing by @schiemon in #16949
  • Fix leak in ReferenceCountedOpenSslEngine.addCredential by @jmcrawford45 in #16979
  • IdleStateHandler: reset firstWriter/ReaderIdleEvent in resetWriteTimeout/resetReadTimeout by @husseinvr97 in #16982
  • Fix typo in AbstractSniHandler Javadoc by @coderbruis in #16988
  • Fix client/server inconsistency in SslCredential support matrix by @jmcrawford45 in #16990
  • Reconcile AbstractCoalescingBufferQueue readableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames by @gavinbunney in #16947
  • Use Ticker in Http2MaxRstFrameListener for testability by @skyguard1 in #16993
  • Reset UTF-8 decode state on CR in StompSubframeDecoder by @vasiliy-mikhailov in #16991
  • FastLz: Guard decompression against truncated input by @yawkat in #17000
  • Reject non-token characters in HTTP/2 header names by @daguimu in #16762
  • Auto-port 4.2: Fix SelfSignCertificate initialization in tests by @netty-project-bot in #17029
  • Enable extension of Http3ClientConnectionHandler to support higher-level protocols such as WebTransport. by @sanjomo in #17027
  • Implement Adaptive Cumulator by @shivaspeaks in #16731
  • Allow WebSocket extension negotiation to be disabled per response by @mkurz in #17030
  • Support QPACK sensitivity detector for Never Indexed header fields by @skyguard1 in #17026
  • Fix maxAllocation for brotli-encoded content in HttpContentDecompressor by @skyguard1 in #17037
  • Pin github actions to reduce risk by @normanmaurer in #17043
  • Update lz4-java to 1.11.1 by @yawkat in #17061
  • Merge branches from forks by @chrisvest in #17063

New Contributors

Full Changelog: netty-4.2.15.Final...netty-4.2.16.Final

netty-4.2.15.Final

Choose a tag to compare

@chrisvest chrisvest released this 02 Jun 05:50

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-50009: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

New Contributors

Full Changelog: netty-4.2.14.Final...netty-4.2.15.Final

netty-4.1.135.Final

Choose a tag to compare

@chrisvest chrisvest released this 02 Jun 19:47

Security fixes

  • CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
  • CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-50560: DDoS in io.netty:netty-codec-http2.
  • CVE-2026-50011: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
  • CVE-2026-50020: request smuggling in io.netty:netty-codec-http.
  • CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
  • CVE-2026-50010: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
  • CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
  • CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
  • CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
  • CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
  • CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
  • CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
  • CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
  • CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

What's Changed

Full Changelog: netty-4.1.134.Final...netty-4.1.135.Final

netty-4.2.14.Final

Choose a tag to compare

@chrisvest chrisvest released this 20 May 21:24

What's Changed

New Contributors

Full Changelog: netty-4.2.13.Final...netty-4.2.14.Final

netty-4.1.134.Final

Choose a tag to compare

@chrisvest chrisvest released this 20 May 22:15

What's Changed

Full Changelog: netty-4.1.133.Final...netty-4.1.134.Final

netty-4.2.13.Final

Choose a tag to compare

@chrisvest chrisvest released this 04 May 23:39

CVEs Fixed

Breaking Changes

The patch for CVE-2026-42581 prohibits HTTP/1.1 requests containing both the Transfer-Encoding and Content-Length headers, in line with RFC 9112. Previous versions of HTTP/1.1 (RFC 7230) permitted this combination. You can restore the old behavior with the -Dio.netty.handler.codec.http.rfc9112TransferEncoding=false system property or with HttpDecoderConfig. Note that disabling this check may lead to request smuggling vulnerabilities.

What's Changed

New Contributors

Full Changelog: netty-4.2.12.Final...netty-4.2.13.Final

netty-4.1.133.Final

Choose a tag to compare

@chrisvest chrisvest released this 05 May 00:56

CVEs Fixed

What's Changed

New Contributors

Full Changelog: netty-4.1.132.Final...netty-4.1.133.Final

netty-4.2.12.Final

Choose a tag to compare

@chrisvest chrisvest released this 25 Mar 18:46

What's Changed

  • Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by @chrisvest in #16550

Full Changelog: netty-4.2.11.Final...netty-4.2.12.Final

netty-4.2.11.Final

Choose a tag to compare

@chrisvest chrisvest released this 24 Mar 21:29

Security

What's Changed

Read more