We are happy to announce the release of netty 4.1.68.Final. This release includes two security fixes related to compression / decompression of Bzip2 and Snappy so it is adviced to update to this version as soon as possible. Beside these security fixes this release also includes various other bugfixes. Last but not least it also adds support for Mac M1 for our native bits of netty.

The most important changes are:

• Bzip2Decoder doesn't allow setting size restrictions for decompressed data (#CVE-2021-37136)
• SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way (#CVE-2021-37137)
• Respect jdk.tls.namedGroups when using native SSL implementation (#11660)
• Add support for mac m1 (#11666)
• Ensure HttpData#addContent/setContent releases the buffer before throwing IOException (#11621)
• [HTTP2] Fix memory leak while writing empty data frame with padding (#11633)
• Added "RSASSA-PSS" algorithm in allowed algorithm list (#11626)
• Don't throw if null is given as ByteBuf when adding components (#11613)
• Add version for netty-tcnative* to bom (#11609)
• SimpleChannelPool::notifyConnect should tryFailure when an exception occurs (#11566)
• Allow server initiated renegotiate when using OpenSSL / BoringSSL based SSLEngine (#11601)
• Only support TLSv1.3 when JDK does support it as well (#11604)
• Fix support for optional encoders errors in HttpContentCompressor (#11582)
• Fix a problem with IP protocol version confusion on MacOS when TCP FastOpen is enabled (#11588)
• Fix IndexOutOfBoundsException caused by consuming the buffer multiple times in DatagramDnsQueryDecoder (#11592)
• Use StandardSocketOptions#IP_MULTICAST_IF as default source when join multicast groups (#11585)
• Ensure we only log message on BoringSSL when the ciphers really are not the default (#11583)

For the details and all changes, please browse our issue tracker for 4.1.68.Final.

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chhsiao90
• @chrisvest
• @diegolovison
• @franz1981
• @hunter2046
• @hyperxpro
• @idelpivnitskiy
• @ikhoon
• @jameskleeh
• @jkuhn1
• @kushalagrawal
• @mormegil-cz
• @NiteshKant
• @normanmaurer
• @orvdoo
• @ostdms
• @ran-su
• @skyguard1
• @slandelle
• @vietj
• @violetagg