Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685
Release Notes - Undertow - Version 2.2.33.Final
Sub-task
- [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read
Bug
- [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
- [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
- [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
- [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
- [UNDERTOW-2385] - Memory leak in ThreadLocalCache
- [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
- [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
- [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
- [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
Component Upgrade
- [UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final
- [UNDERTOW-2406] - Upgrade XNIO from 3.8.8.Final to 3.8.15.Final
Enhancement
- [UNDERTOW-2291] - Shush the javadoc plugin
- [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable
- [UNDERTOW-2415] - Disable JDK8 CI tests for Mac OS