We are happy to announce the release of netty 4.1.86.Final. This release contains two CVE fixes, one which is considered as Severity High and can be triggered remotely (if you use the HAProxyMessageDecoder)!
Beside this this release contains various small bug-fixes.

The most important changes are:

• HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
• HTTP Response splitting from assigning header value iterator (CVE-2022-41915)
• Revert #12888 for potential task scheduling problems in HashedWheelTimer (#13021)
• Deprecate ObjectEncoder/ObjectDecoder (#12990)
• HPACK dynamic table size update must happen at the beginning of the header block (#12988)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @amizurov
• @chrisvest
• @franz1981
• @heixiaoma
• @hyperxpro
• @laosijikaichele
• @mostroverkhov
• @needmorecode
• @nmonsees
• @normanmaurer
• @pmlopes
• @pqrstuvwx
• @ursaj
• @vietj
• @zazf