apache/dubbo dubbo-2.5.9

on GitHub

BugFixes

• Backward compatible for RMI protocol #911
• Hessian serialization:
  • Add null check for for java.util.Time type, #1118
  • Revert the override sequence of hessian, field of subclass should override that of parent class, not the other way around, #932
• Redis and Multicast registry can not offline.

Enhancements

• Annotation enhancement, #1205. The dubbo-spring-boot-starter has also been released based on this version.
• Add switch for qos: dubbo.application.qos.enable=true/false. Notice the new way we configure qos, for example, dubbo.qos.port has been changed to dubbo.application.qos.port. #1189
• Graceful shutdown, add extra waiting time between registry unregister and threadpool shutdown. #1021
• Improve performance of hessian serialization by avoid usage of inefficient synchronized. #1196
• Avoid retry when parameter validation fails. #1031
• Condition router should also check default values. #1204

Vulnerability Patches

• From this version, we will check if the serialization id received from network(only if the id identifies JDK serialization) matches with that in current instance. If it can't be matched, the deserialization process will be rejected. Since the original JDK deserialization has security problems, we do this to prevent unexpected tamper of serialization type, e.g. from hessian2 to java.