| AArch64 | |
| ppc64le | |
| s390x | |
| x86-64 |
- Added patch:
* netty-CVE-2020-11612.patch
+ bsc#1168932, CVE-2020-11612
+ bsc#1169082, CVE-2020-10707
- Split pom-only artifacts into a subpackage netty-pom in order to generate their dependencies correctly
- Initial packaging of netty 4.1.13
- Upgrade to upstream version 4.1.115
* Fixes:
+ Allow MessageToMessageDecoder to take care of reading more
data when needed
+ Fix SSL session resumption with ClientAuth.OPTIONAL and add
tests with session tickets
+ Fix incorrect cast in NioDomainSocketChannel.parent()
+ Fix bug where SslHandler may stall after TLSv1.3 handshake
with delegate tasks
+ AdaptiveByteBufAllocator: Make pooling of AdaptiveByteBuf
magazine local
+ Specialize Adaptive's allocator Recycler based on magazine's
owner
+ Fix epoll_wait retry loop
+ Log / include the correct error during handshake failure
+ Convey autoAckPing in http2 decoder constructor chain
+ Allow to set used named groups per OpenSslContext
+ Verify default named groups before using them with native SSL
implementation
+ Include details on why it was not possible to configure
accepted issuers in the SSLException
+ Correctly detect if KeyManager is not supported by OpenSSL
version
+ Preserve ordering of default named groups during conversation
+ Denial of Service attack on windows app using netty
(bsc#1233297, CVE-2024-47535)
- Split the netty-poms package in netty-parent and netty-bom
- Modified patch:
* 0001-Remove-optional-dep-Blockhound.patch
+ rediff
- Clean a bit the spec file and adapt to the recent changes in
netty-tcnative package
- Removed patches:
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
+ remove the annotations with a macro in the jurand tool
* 0007-Do-not-require-the-tcnative-native-library.patch
+ we are building now the artifact, so we can require it
- Upgrade to upstream version 4.1.114
* Fixes of 4.1.114:
+ Validate HTTP Method
+ Release AdaptiveByteBuf when ownership could not be transfered
+ Make arenas reuse their last chunk more aggressively
+ Only add Magazine to Set if we can ensure its removed again
+ Ensure Chunk will not leak if init of AdaptiveByteBuf fails
for whatever reason
+ Correctly release one-off allocated chunks
+ Ensure pooled memory is released when
AdaptivePoolingAllocator is GC'ed
+ Slices / duplicates of AdaptiveByteBuf must not escape the
rootParent
+ Fix sizeBucket bug in AdaptivePoolingAllocator
+ AdaptiveByteBufAllocator: More strict reference counting for
chunks
+ Ensure we not store the DnsQueryContext for later removal when
we couldnt obtain a query id
+ Reduce memory fragmentation
+ Properly free magazine chunks and avoid orphaned magazines
+ Magazines must be freed under the expand lock
+ Release message before failing promise when multiple requests
are written while upgrade is in progress.
+ Allow to reuse more then one session per host / port mapping
+ Ensure writes will not fail when triggered after receiving
UpgradeEvent.UPGRADE_SUCCESSFUL
+ Refactor DnsNameResolver to be able to use different
strategies when it comes to creating Channels for queries.
+ DnsNameResolver: allow users to skip bind() during bootstrap
+ DnsResolverBuilder methods should make it clear that these are
for DatagramChannel
* Fixes of 4.1.113:
+ feat: Support for IP_BIND_ADDRESS_NO_PORT socket option
+ Ensure AbstractCoalescingBufferQueue does not end up in
inconsistent state on error
+ Add new SslHandler.isEncrypted(...) variant that will not
produce false positives
+ Ensure flushes are not discarded by ChunkedWriteHandler for
passed through messages
+ Remove reference to parent in recycled buffers for leak
detection
+ Upgrade to netty-tcnative 2.0.66.Final
+ Cleanup fields on AdaptiveByteBuf::deallocate
* Fixes of 4.1.112:
+ Avoid unnecessary reflective probes on netty initialization
+ Allow control frames between fragments
+ Only delete the socket file for NioServerDomainSocketChannel
+ Add check for IPv6 brackets when address is unresolved
+ fix ResolvConf initialization with SecurityManager enabled
+ Fix potential DNS cache invalidation in
ResolveWithDotSearchDomain scenario
+ Backport the SslContextBuilder.endpointIdentificationAlgorithm
method
+ Aggressively remove PoolThreadCache references from its
finalizer object
+ Send Http2PriorityFrame through fireUserEventTriggered for
Http2MultiplexHandler
+ Fix potential DNS cache invalidation across different
EventLoops
+ Reject http header values with non SP / HTAB chars
+ Don't strip whitespaces from header names and let the
validator handle it
+ Reject request if NUL is present in the request line
+ Allow HTTP responses without reason-phrase
+ Validate HTTP version while decoding
+ Only include scopeId on link-local addresses when using native
transport
* Fixes of 4.1.111:
+ ReadOnlyByteBufferBuf | ReadOnlyUnsafeDirectByteBuf get, copy,
duplicate, slice methods should be safe to be called from
multiple threads
+ ReadyOnlyBuf must return false for isWritable() when sliced or
duplicated
+ ReadOnlyByteBuf (and sub-classes) does not create derived
buffers that share reference count
+ ByteBuf.asReadOnly().nioBuffer*() need to return read-only
ByteBuffer
+ Remove unwanted mandatory dependency in OSGi
+ HashedWheelTimer.stop() must cancel tasks
+ ZSTD decompression not resilient to compression bombs
+ Duplicate of slice should have the same capacity as the
original slice so that it's not writable
+ Optimize wrap buffer cumulation in SslHandler and don't mutate
input buffers
+ Prepare for unsafe memory access deprecated for removal
+ Fix AdaptiveByteBufAllocator class loading on Java 6/7
+ Add missing NULL checks in native code
* Fixes of 4.1.110:
+ Add unix domain socket transport in netty 4.x via JDK16+
+ Backport #13075: Add the AdaptivePoolingAllocator
+ Add no-value key handling only for form body
+ Add support for specifying SecureRandom in SSLContext
initialization
* Fixes of 4.1.109:
+ Utilize ByteBuf#indexOf
+ Don't send a RST frame when closing the stream in a write
future while processing inbound frames
+ Fix DefaultChannelId#asLongText NPE
+ Fix voidPromise in Http2FrameCodec.writeHeadersFrame
+ Make /etc/resolv.conf reading more robust
+ Fix NioSocketChannel usage in graalvm native-image
+ Improve ByteBufUtil#firstIndexOf
+ Rewrite ZstdDecoder to remove the need of allocate a huge
byte[] internally
+ Always log registered/detected ChannelInitializerExtension(s)
at INFO level
+ Enhance AsciiString#toLowerCase and AsciiString#toUpperCase
+ Add support for zstd http content decompression
+ Save Snappy's encode tmp table allocation
- Regenerated patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
- Add reproducible.patch to omit the mtime from libnetty-unix-common.a for reproducible builds (boo#1047218)
- Upgrade to upstream version 4.1.108
* Fixes of 4.1.108:
+ HttpPostRequestDecoder can OOM (bsc#1222045, CVE-2024-29025)
+ Add zstd decoder
+ Updated HTTP2 Reader to fix missing header state
+ codec-http2: fix some frame validation errors
+ SSL: Only wrap TrustManager if FIPS is not used
+ Epoll: Correctly handle splice tasks when Channel is closed
+ Allow to cancel connect() operations when using non-blocking
IO
+ DNS resolver final CNAME lookup disabled
+ DNS: Add DnsRecordType definitions for SVCB and HTTPS
+ SSL: Only try to use TLSv1.3 if a compatible ciphersuite is
configured
+ Backport 'Fix buffer leak in DefaultHttp2HeadersEncoder' to v4
+ SSL: Hold the right monitor while running delegating task
+ SSL: Execute SSL_do_handshake(...) after task is run to ensure
SSLEngine.getHandshakeStatus() returns the correct value all
the time
+ Add active flag to EpollServerDomainSocketChannel fd
constructor
+ Epoll: Fix possible Classloader deadlock caused by loading
class via JNI
+ Prefer /etc/resolv.conf on Linux and Mac
+ Handle invalid cookie value
+ Upgrade to latest tcnative release
+ ByteToMessageDecoder.channelReadComplete(...) does call read()
too often
+ Remove the lock usage in PoolArena#numPinnedBytes()
+ Fix x-www-form-urlencoded parsing for no-value key
(re-submission)
* Fixes of 4.1.107:
+ Speedup pseudoheader lookup
+ Add support for the Partitioned attribute in cookies
+ Reduce HTTP 1.1 Full msg pipeline traversals
+ DnsNameResolver: Add DnsQueryIdSpace class to reduce overhead
while generating IDs
+ Fix copy-paste mistake in
LazyX509Certificate.getIssuerAlternativeNames()
+ HTTP2: lastStreamCreated() does return the wrong value when
all stream ids were used
+ HTTP2: Update local window should not fail queued frames
+ DnsNameResolver: Allways call bind() during bootstrap
+ HTTP: HttpObjectDecoder must not use HTTPMessage once it is
passed to the next handler in the ChannelPipeline
+ Ensure key / values are shared between resumed sessions
+ SSLSession.getLastAccessedTime() and getCreationTime() should
not be equal when session is reused
+ Snappy: Use unsigned short to handle 2 ^ 16 input size instead
of 2 ^ 15
* Fixes of 4.1.106:
+ HTTP2: Prevent sharing the index of the continuation frame
header ByteBuf.
+ DnsNameResolver: Fail query if id space is exhausted
+ Short-circuit ByteBuf::release
* Fixes of 4.1.105:
+ Fix exception on HTTP chunk size overflow
+ Default value of MAX_MESSAGES_PER_READ not used for native
DatagramChannels
+ Redo fix scalability issue due to checkcast on context's
invoke operations
+ Be able to retry the query via TCP if a query failed because
of a timeout
+ Save HTTP 2 pseudo-header lower-case validation
+ DnsNameResolver: Limit connect timeout to query timeout
+ h2: propagate stream close without read pending, avoid SOOE
if !autoRead
* Fixes of 4.1.104:
+ dyld: Symbol not found: _netty_jni_util_JNI_OnLoad
* Fixes of 4.1.103:
+ Workaround for regex bug in Android SDK
+ Use Http2Headers.size() instead of isEmpty()
+ Add support for RISC-V
* Fixes of 4.1.101:
+ Add service-loaded extension points for channel initialization
+ Added check for pseudo-headers in trailers
+ Automatically close Http2StreamChannel when
Http2FrameStreamExceptionreaches end ofChannelPipeline
+ Throwing a stackless exception if RST_FRAME rate is exceeded
+ Only enable the RST limit for servers by default
+ Change default value of MAX_MESSAGES_PER_READ for
DatagramChannel implementations
+ Descriptive message for errors related to unknown http2
streams
- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
+ rebase
- Use %patch -P N instead of deprecated %patchN.
- Upgrade to upstream version 4.1.100
* Fixes of 4.1.100:
+ DDoS vector in the HTTP/2 protocol due RST frames
(bsc#1216169, CVE-2023-44487)
+ Do not fail when compressing empty HttpContent
* Fixes of 4.1.99:
+ Do not try to delete a global handle with the local handles
APIs
+ Enable build with JDK21
+ dyld: lazy symbol binding failed: Symbol not found:
_netty_jni_util_JNI_OnLoad
* Fixes of 4.1.98:
+ Revert "HttpHeaderValidationUtil should reject chars past the
1 byte range"
+ Filter out unresolved addresses when parsing resolv.conf
+ Prevent classloader leak via JNI
+ SSLSession.getPeerCertificateChain() should throw
UnsupportedOperationException if javax.security.cert
.X509Certificate can not be created
+ Enable client side session cache when using native SSL by
default
* Fixes of 4.1.97:
+ Fixing AsciiString#lastIndexOf To Respect The offset
+ Add support for snappy http2 content decompression
+ Add support for password-based encryption scheme 2 params
+ HttpHeaderValidationUtil should reject chars past the 1 byte
range
+ Honor SslHandler.setWrapDataSize greater than SSL packet
length
+ Add support for snappy http content encoding
* Fixes of 4.1.96:
+ Move the PoolThreadCache finalizer to a separate object
+ Fix kevent(..) failed: Invalid argument
+ Revert "Always increment Stream Id on createStream" to fix bug
which caused sending multiple RST frames for the same id
* Fixes of 4.1.95
+ Add resource leak listener
+ Reduce object allocations during SslHandler.flush(...)
+ Ensure ByteBuf.capacity(...) will never throw AssertionError
+ Make transport.Bootstrap usable with no netty-resolver on
classpath
+ Correctly retain slice when calling
ReplayingDecoderByteBuf.retainedSlice(...)
+ Always increment Stream Id on createStream(...)
+ Fix BrotliEncoder bug that does not mark ByteBuf it encodes a
read
+ Enhance CertificateException message when throw due hostname
validation
- Rebased patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
- Reproducible builds: use SOURCE_DATE_EPOCH for timestamp