We are happy to announce the release of netty 4.1.100.Final. This release fixes a HTTP2 DDOS attack vector which effects any HTTP/2 Server, also called "HTTP/2 Rapid Reset Attack". If you use netty to run a HTTP/2 server we urge you to upgrade as soon as possible.

The most important changes are:

• DDoS vector in the HTTP/2 protocol due RST frames (#GHSA-xpw8-rcwv-8f8p)
• Do not fail when compressing empty HttpContent (#13655)

DDOS HTTP/2 protection - HTTP/2 Rapid Reset Attack

As stated above this release includes an by default protection for the HTTP/2 DDOS issue (#GHSA-xpw8-rcwv-8f8p). This is done by limiting the amount of RST frames a remote peer can send on a connection in given time window. You can adjust the configuration of these settings via one of these builders if needed:

• Http2ConnectionHandlerBuilder
• Http2FrameCodecBuilder
• HttpMultiplexCodecBuilder

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @chrisvest
• @franz1981
• @idelpivnitskiy
• @isaacrivriv
• @normanmaurer
• @yawkat