I am happy to announce the release of netty 4.1.59.Final, which beside fixing various bugs also contains a security fix which may affect you if you use the HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder.

For more details about the impact of the CVE check the Security Advisory.

The most important changes are:

• Implement SWAR indexOf byte search (#10737)
• Correctly filter out TLSv1.3 ciphers if TLSv1.3 is not enabled (#10919)
• Allow blocking calls in UnixResolverDnsServerAddressStreamProvider#parse (#10935)
• Ignore priority frames for non existing streams and so prevent a NPE (#10943)
• Make native loading logging less confusing (#10944)
• Use GracefulShutdown when stream space is exhausted (#10946)
• Correctly handle fragmentation in JdkZlibDecoder (#10948)
• Merge WebSocket extensions (#10956)
• Override ALPN methods on ReferenceCountedOpenSslEngine (#10954)
• Fix possible SEGV when using native dns resolver on macos (#10971)
• Revert "Enable SSL_MODE_ENABLE_FALSE_START if jdkCompatibilityMode is false (#10980)
• Introduce SslContextOption which can be used for "optional" features in SslContext implementations (#10981)
• Fix memory release failure when "maxNumElems == 1" of PoolSubpage (#10988)
• Revert HttpPostMultipartRequestDecoder and HttpPostStandardRequestDecoder to e5951d4 (#10989)

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @atropnikov
• @bryce-anderson
• @carl-mastrangelo
• @chrisvest
• @danielflower
• @duke-bartholomew
• @doom369
• @franz1981
• @mrksngl
• @normanmaurer
• @slandelle
• @violetagg
• @violetgo
• @ZzxyNn