Release 2.3.19.Final fixes CVE-2024-4109
Full list of issues: view in Jira
Release Notes - Undertow - Version 2.3.19.Final
Sub-task
- [UNDERTOW-2499] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.annotated
- [UNDERTOW-2501] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.dynamicupgrade
- [UNDERTOW-2502] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.extension
- [UNDERTOW-2503] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.reconnect
- [UNDERTOW-2504] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.security
- [UNDERTOW-2505] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.suspendresume
- [UNDERTOW-2506] - Review anonymous classes in Undertow io.undertow.websockets.jsr.test.stress
- [UNDERTOW-2518] - WebSocketTimeoutTestCase can fail on CI
- [UNDERTOW-2574] - BufferLeak on AbstractFramedChannel.allocateReferenceCountedBuffer
Bug
- [UNDERTOW-2340] - RequestEncodingHandler does not update Content-Length after uncompressing
- [UNDERTOW-2361] - Deflate request body support (content-encoding in request) does not work as expected
- [UNDERTOW-2457] - Bytes may get lost across ProxyProtocolReadListener parsing invocations for v1
- [UNDERTOW-2509] - Unable to set correct HTTP response code when a file upload is too large.
- [UNDERTOW-2511] - CVE-2024-4109 undertow: information leakage via HTTP/2 request header reuse
- [UNDERTOW-2520] - Web socket codes for protocol error and wrong code are swapped
- [UNDERTOW-2532] - Websocket Session NPE
- [UNDERTOW-2538] - The Servlet ServletRelativePathAttribute has the same priority as the Core RelativePathAttribute
- [UNDERTOW-2547] - Perform gathering write in HttpRequestConduit to decrease latency
- [UNDERTOW-2555] - AJP Redirect with unescaped characters in URL is not encoded
- [UNDERTOW-2565] - HTTP2 sets exchange.queryString unencoded with allow unescaped characters in URL
- [UNDERTOW-2566] - HttpRequestParser.handleQueryParameters can set an encoded query string
- [UNDERTOW-2567] - Decoding of query strings with unescaped characters does not work in HTTP2 upgrade
- [UNDERTOW-2573] - MultiParseParserDefinition can overwrite entity size in exchange request
- [UNDERTOW-2576] - ProxyHandler can throw NullPointerException if the source address SocketAddress has no ip address
- [UNDERTOW-2597] - MultiPartParserDefinition must check for entity size larger than zero
Task
- [UNDERTOW-2548] - Update action versions in workflow
- [UNDERTOW-2568] - Resolve build warnings
- [UNDERTOW-2569] - Use of the maven.compiler.release property as the javadoc version
- [UNDERTOW-2600] - Upgrade jboss-parent pom to 50
- [UNDERTOW-2601] - Update pom to work with the new nexus deployment repository
Component Upgrade
- [UNDERTOW-2431] - Bump jboss-parent to 46 (2.3.x) /36 (2.2.x)
- [UNDERTOW-2570] - Upgrade jboss-parent pom to 49
- [UNDERTOW-2586] - Upgrade JBoss Threads to 3.7.0.Final
Enhancement
- [UNDERTOW-2371] - initialize the DefaultServer once to speed up test HttpContinueSslServletTestCase #1574
- [UNDERTOW-2432] - Bump javadoc plugin to 3.3.0+ in maintenance branches
- [UNDERTOW-2522] - Investigate misleading build failures
- [UNDERTOW-2556] - Make sure max-post-size check for a request with a content-length is done before any response is sent from the server
- [UNDERTOW-2562] - AccessLogFileWithUnescapedCharactersTestCase does not clear UndertowOptions
- [UNDERTOW-2563] - DefaultServer used for tests should apply server options to all openListeners
- [UNDERTOW-2564] - Validate the signature of @BeforeServerStarts and @AfterServerStops methods
- [UNDERTOW-2571] - Fix util.Security actions as it does not take into account "default"