Netty 4.1.136.Final released
We are happy to announce the release of netty 4.1.136.Final. This is a bug-fix and security release.
We strongly recommend upgrading to this version to get the following security fixes:
- CVE-2026-XXXXX: memory exhaustion in
io.netty:netty-codec-stomp. - CVE-2026-55833: zip bomb in
io.netty:netty-codec-http. - CVE-2026-XXXXX: improper CR/LF neutrolization in
io.netty:netty-codec-http(multipart). - CVE-2026-XXXXX: improper CR/LF neutrolization in
io.netty:netty-codec-haproxy. - CVE-2026-55851: memory exhaustion in
io.netty:netty-codec-haproxy. - CVE-2026-56745: memory exhaustion in
io.netty:netty-codec-http. - CVE-2026-56817: insecure defaults in XML parsing in
io.netty:netty-codec-xml. - CVE-2026-XXXXX: memory exhaustion in
io.netty:netty-codec-http. - CVE-2026-56818: memory leak in
io.netty:netty-codec-redis. - CVE-2026-56819: memory leak in
io.netty:netty-codec-http2. - CVE-2026-55831: resource exhaustion/DoS in
io.netty:netty-codec-http. - CVE-2026-XXXXX: memory leak in
io.netty:netty-codec-dns. - CVE-2026-XXXXX: infinite loop in
io.netty:netty-codec-compression(bzip2). - CVE-2026-XXXXX: improper header neutralization in
io.netty:netty-codec-http2. - CVE-2026-XXXXX: protocol version confusion in
io.netty:netty-codec-http(websocket). - CVE-2026-56746: improper access control in
io.netty:netty-codec-http(CORS). - CVE-2026-56822: time-of-check/time-of-use in
io.netty:netty-handler-ssl-ocsp. - CVE-2026-XXXXX: uncontrolled resource consumption in
io.netty:netty-codec-xml. - CVE-2026-56820: improper certificate validation in
io.netty:netty-handler-ssl-ocsp. - CVE-2026-56821: improper certificate revocation check in
io.netty:netty-handler-ssl-ocsp. - CVE-2026-XXXXX: improper CR/LF neutrolization in
io.netty:netty-codec-stomp.
Other significant changes are:
- SingleThreadEventExecutor: document Throwable safety contract on run() by @daguimu in https://github.com/netty/netty/pull/16814
- Make HTTP/2 frame hashCode consistent with equals by @daguimu in https://github.com/netty/netty/pull/16692
- Add BlockHound exception for DnsQueryIdSpace (#16896) by @chrisvest in https://github.com/netty/netty/pull/16915
- FlowControlHandler: Fix autoRead behavior by @chrisvest in https://github.com/netty/netty/pull/16912
- Auto-port 4.1: Fix incorrect bounds in error message of HpackDecoder.setMaxHeaderListSize by @netty-project-bot in https://github.com/netty/netty/pull/16911
- MQTT: Fix MQTT decoder size check after variable header replay by @daguimu in https://github.com/netty/netty/pull/16916
- MQTT: Make the decodeProperties early-REPLAY check actually fire by @daguimu in https://github.com/netty/netty/pull/16813
- Reject control characters at the boundary of HTTP method names (#16723) by @chrisvest in https://github.com/netty/netty/pull/16933
- Auto-port 4.1: Update to latest tcnative release by @netty-project-bot in https://github.com/netty/netty/pull/16941
- Auto-port 4.1: Fix HTTP 2 PUSH_PROMISE stream association validation by @netty-project-bot in https://github.com/netty/netty/pull/16955
- Auto-port 4.1: Fix GZIP FEXTRA extra-field handling in JdkZlibDecoder by @netty-project-bot in https://github.com/netty/netty/pull/16957
- Auto-port 4.1: Add opt-in validation of mandatory pseudo-header fields for HTTP/2 by @netty-project-bot in https://github.com/netty/netty/pull/16964
- Strictly validate MQTT UTF-8 Encoded String (#16939) by @chrisvest in https://github.com/netty/netty/pull/16965
- Auto-port 4.1: Stop DateFormatter trailing token from running past the parse end by @netty-project-bot in https://github.com/netty/netty/pull/16968
- Auto-port 4.1: IpFilter: Deprecate constructor which use accept by default by @netty-project-bot in https://github.com/netty/netty/pull/16973
- Add RFC 10008 QUERY Method support (#16966) by @normanmaurer in https://github.com/netty/netty/pull/16978
- Correctly release and fail queued traffic-shaping writes on close (#16959) by @normanmaurer in https://github.com/netty/netty/pull/16976
- Auto-port 4.1: FlowControlHandler: respect auto-read when toggled while dequeueing by @netty-project-bot in https://github.com/netty/netty/pull/16983
- IdleStateHandler: reset firstWriter/ReaderIdleEvent in resetWriteTimeout/resetReadTimeout (#16982) by @chrisvest in https://github.com/netty/netty/pull/16989
- Auto-port 4.1: Fix typo in AbstractSniHandler Javadoc by @netty-project-bot in https://github.com/netty/netty/pull/16995
- Auto-port 4.1: Reconcile
AbstractCoalescingBufferQueuereadableBytes when it drains, and fail stuck HTTP/2 streams instead of spinning empty DATA frames by @netty-project-bot in https://github.com/netty/netty/pull/16997 - Reject control characters at the boundary of the HTTP version token (#16971) by @normanmaurer in https://github.com/netty/netty/pull/16986
- Auto-port 4.1: Reset UTF-8 decode state on CR in StompSubframeDecoder by @netty-project-bot in https://github.com/netty/netty/pull/17003
- Auto-port 4.1: HTTP2: Pass the correct number of arguments when logging goaway by @netty-project-bot in https://github.com/netty/netty/pull/17017
- FastLz: Guard decompression against truncated input (#17000) by @chrisvest in https://github.com/netty/netty/pull/17015
- Backport 4.1 Fix propagation of startTls for client SslContext handler by @skyguard1 in https://github.com/netty/netty/pull/17020
- Auto-port 4.1: Reject non-token characters in HTTP/2 header names by @netty-project-bot in https://github.com/netty/netty/pull/17022
- Update lz4-java to 1.11.1 by @yawkat in https://github.com/netty/netty/pull/17060
- Pin github actions to reduce risk (#17043) by @normanmaurer in https://github.com/netty/netty/pull/17044
- Merge branches from forks (#17063) by @normanmaurer in https://github.com/netty/netty/pull/17065
For more details please see the complete release notes.
Thank You
Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.
Please report an unintended omission.