We are happy to announce the release of netty 4.1.71.Final. This is mainly a bug-fix release but also contains a fix for HTTP-request-smuggling and fixes a regression in SslHandler. Because of this we urge everyone to upgrade as soon as possible.

The most important changes are:

• HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling (CVE-2021-43797)
• JdkZlibEncoder can use pooled heap buffers for deflater input (#11891)
• Ensure we always run the register task of native libraries (#11887)
• Rewrite and simplify Recycler (#11858)
• Do not allow third parties to provide Netty's native libraries (#11856)
• Fix reentrancy bug in SslHandler which can cause IllegalReferenceCountException (#11854)
• Correctly handle InputStream.read() when it return -1 during writing to the ByteBuf (#11837)

For the details and all changes, please browse our issue tracker for 4.1.71.Final.

Thank You

Every idea and bug-report counts and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @AndreasBrieg
• @chrisvest
• @dferstay
• @diegolovison
• @ejona86
• @eltociear
• @GisleGrimen
• @hyperxpro
• @johnou
• @martin-g
• @MoonLord-LM
• @normanmaurer
• @purninavi
• @rdesgroppes
• @rishika728
• @skyguard1
• @TeslaCN