🔒 Security
Apply limits.http_max_request_bytes
on streaming request body decompression (PR #4759)
This release fixes a Denial-of-Service (DoS) type vulnerability which exists in affected versions of the Router according to our published security advistory. The fix changes the evaluation of the limits.http_max_request_bytes
configuration to take place on a stream of bytes, allowing it to be applied to compressed HTTP payloads, prior to decompression. Previously, the limit was only being applied after the entirety of the compressed payload was decompressed, which could result in significant memory consumption which exceeded configured expectations while compressed payloads were expanded.
🐛 Fixes
Re-activate the macOS Intel builder (PR #4723)
We have re-activated macOS Intel (x86) builds in CircleCI, despite their upcoming deprecation, while we take a different approach to solving this and maintaining Intel support for the time-being. This became necessary since cross-compiling the router from ARM to x86 resulted in issues with V8 snapshots and runtime issues on the macOS Intel binaries produced by those Apple Silicon build machines.