Skip to content

v2.3.14.Final

Compare
Choose a tag to compare
@fl4via fl4via released this 20 Jun 09:02
· 161 commits to main since this release

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.3.14.Final

Sub-task

  • [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

  • [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
  • [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
  • [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
  • [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
  • [UNDERTOW-2385] - Memory leak in ThreadLocalCache
  • [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
  • [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
  • [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
  • [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

Enhancement

  • [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable