We are happy to announce the release of netty 4.1.94.Final. This is mainly a bug-fix release but also contains a fix for a possible security issue (CVE-2023-34462) when using SniHandler.

The most important changes are:

• Respect offset in io.netty.util.NetUtil#toAddressString(byte[], int, boolean) (#13420)
• Skip finalization for PoolThreadCache instances without small/normal caches (#13408)
• Use network byte order when encoding ipv4 address and port for Socks codecs (#13427)
• Call ReleaseByteArrayElements even when handling of socket_path fails to fix small mem leak (#13435)
• Always enable leak tracking for derived buffers if parent is tracked (#13436)
• Release DnsRecords when failing to notify promise (#13437)
• Delay possibility to reuse transaction id when query is failing because of timeout or cancellation (#13446)
• Implement contains for SelectedSelectionKeySet (#13452)
• Use Two-Way for finding the delimiter in DelimiterBasedFrameDecoder (#13451)
• Obtain the local address from the fd when the client connects only with remote address (UDS) (#13419)
• Allow to limit the maximum lenght of the ClientHello (CVE-2023-34462)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chrisvest
• @franz1981
• @hyperxpro
• @idelpivnitskiy
• @laurentgo
• @normanmaurer
• @ramizdundar
• @rdicroce
• @Scottmitch
• @trustin
• @vietj
• @violetagg
• @Zmax0
• @zzy444626905