Includes CVES: CVE-2024-3653 CVE-2024-5971
Release Notes - Undertow - Version 2.2.34.Final
Bug
- [UNDERTOW-2033] - secure predicate unreliable with HTTP/2
- [UNDERTOW-2046] - ProxyHandler passes hostname not IP in X-Forwarded-For
- [UNDERTOW-2343] - Zero-Byte Response and Empty Response Code on Page Refresh with Wildfly 30 and Firefox
- [UNDERTOW-2382] - CVE-2024-3653 LearningPushHandler can lead to remote memory DoS attacks
- [UNDERTOW-2397] - Handle Huffman encoding properly
- [UNDERTOW-2413] - CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket
- [UNDERTOW-2418] - Adjust properly session timeout also in case when FORM is combined with other mechanisms
Documentation
- [UNDERTOW-2193] - UndertowOptions class doesn't specify what many size settings represent
Enhancement
- [UNDERTOW-2386] - Update ci.yml link to git docs
- [UNDERTOW-2398] - Tweak workflow to allow manual re-runs