I am happy to announce the release of netty 4.1.61.Final, which beside fixing various bugs also contains a security fix which may affect you if you use the codec-http2 package and proxy HTTP/2 to HTTP/1.1. This fix is a follow up of the previous fix done as part of CVE-2021-21295 as we missed to handle one case.

For more details about the impact of the CVE (CVE-2021-21409) check the Security Advisory.

The most important changes are:

• Validate Content-Length header in HTTP/2 decoder (CVE-2021-21409)
• Add support for UDP_GRO (#11120)
• DefaultThreadFactory must not use Thread.currentThread() when constructed without ThreadGroup (#11119)
• Let's use gcc10 when cross-compiling for LSE support (#11112)
• Allow to have an empty path when convert a CONNECT request (#11108)
• Ensure we can correctly propagate exceptions to streams even if endStream flag is set (#11105)
• Do not send GOAWAY frame before connection preface (#11107)
• Continue reading when the number of bytes is less then the configured number of bytes when using DatagramChannels (#11089)
• Allow to configure the maximum number of message to write per eventloop (#11086)
• SslHandler flushing with TCP Fast Open fix (#11077)
• Also support CompositeByteBuf with SegmentedDatagramPacket (#11081)
• Return correct result for Futures that are returned from UnorderedThreadPoolExecutor (#11074)
• Fix alignment handling for pooled direct buffers (#11106)

For the details and all changes, please browse our issue tracker for 4.1.61.Final.

Important notes

CVE-2021-21409 - request smuggling

This release fixes a possible security problem which have allowes for request smuggling, check the Security Advisory for more details.

GRO support for EpollDatagramChannel

This release also adds support for GRO (UDP_SEGMENT) when using the native EpollDatagramChannel and running on a system with a recent enough kernel. You can make use of this by using the EpollChannelOption.UDP_GRO option.

For more detail on GRO please read the LWN article which explains how this can be used to maximize performance when using QUIC.

LSE support for AARCH64

This release switched to use GCC10 for cross-compiling and so enable the usage of LSE when running on AARCH64. Using LSE can have a huge performance impact. For more details please read the MySQL on ARM blogpost.

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @alalag1
• @Bennett-Lynch
• @carl-mastrangelo
• @chrisvest
• @doom369
• @ejona86
• @elharo
• @idelpivnitskiy
• @meshcow
• @normanmaurer
• @Scottmitch
• @stuartwdouglas