We are happy to announce the release of netty 4.1.115.Final. This is a bug-fix release but also include a fix for (CVE-2024-47535) which we rate as very low as the attacker needs to have access to the local filesystem with the right permissions.

The most important changes are:

• Allow MessageToMessageDecoder to take care of reading more data when needed (#14372)
• Fix SSL session resumption with ClientAuth.OPTIONAL and add tests with session tickets (#14404)
• Fix incorrect cast in NioDomainSocketChannel.parent() (#14409)
• Fix bug where SslHandler may stall after TLSv1.3 handshake with delegate tasks (#14411)
• AdaptiveByteBufAllocator: Make pooling of AdaptiveByteBuf magazine local (#14414)
• Specialize Adaptive's allocator Recycler based on magazine's owner (#14421)
• Fix epoll_wait retry loop (#14425)
• Log / include the correct error during handshake failure (#14428)
• Convey autoAckPing in http2 decoder constructor chain (#14429)
• Allow to set used named groups per OpenSslContext (#14433)
• Verify default named groups before using them with native SSL implementation (#14434)
• Include details on why it was not possible to configure accepted issuers in the SSLException (#14435)
• Correctly detect if KeyManager is not supported by OpenSSL version (#14437)
• Preserve ordering of default named groups during conversation (#14447)
• Denial of Service attack on windows app using netty (CVE-2024-47535)

For more details please visit our bug tracker

Thank You

Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.

Please report an unintended omission.

• @Amossys-PGR

• @bryce-anderson

• @chrisvest

• @dsidorov

• @franz1981

• @idelpivnitskiy

• @laosijikaichele

• @normanmaurer

• @vietj
• @violetagg
• @werkt
• @yawkat