github undertow-io/undertow 2.4.0.Final
v.2.4.0.Final
on GitHub

latest release: 2.4.1.Final
7 hours ago

Release 2.4.0.Final Fixes CVE-2026-28367 CVE-2026-28368 CVE-2026-28369
Full list of Jiras: view in Jira

Release notes - Undertow - 2.4.0.Final

Feature Request

UNDERTOW-1593 Track processing time of in flight requests

UNDERTOW-1748 provide a way to "comment" a line in predicate language

UNDERTOW-1870 Hard-coded timeout for asynchronous HTTP requests - add async context timeout undertow option

UNDERTOW-1880 Undertow should support HTTP/2 connection management, wrt GOAWAY frame

UNDERTOW-1881 Add a new exchange attribute for SSL/TLS protocol version

UNDERTOW-2010 Provide method to invalidate all paths in CachingResourceManager

UNDERTOW-2242 Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS

UNDERTOW-2273 Exchange Attribute parser doesn't handle nested attributes

UNDERTOW-2301 HTTP/2 cannot be configured on a per-listener basis

UNDERTOW-2319 Move io.undertow.multipart.minsize property to UndertowOptions

UNDERTOW-2553 Add rewriteHostHeader to ModCluster

UNDERTOW-2580 Support SameSite and custom cookie attributes

UNDERTOW-2696 Allow PathHandler to check for registered prefixes

UNDERTOW-2706 Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT

Component Upgrade

UNDERTOW-2584 Upgrade JBoss Threads to 3.9.1

UNDERTOW-2644 Upgrade wildfly openssl to 2.2.5.Final

Enhancement

UNDERTOW-1901 Add multipart support methods to ManagedServlet and HttpServerExchange signatures

UNDERTOW-1904 HttpSessionImpl use exception driven control

UNDERTOW-2110 Allow line breaks in predicates

UNDERTOW-2231 Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown

UNDERTOW-2249 HttpClientConnection.sendRequest on a closed connection should result in a ClosedChannelException

UNDERTOW-2254 Include the HttpServerExchange in the HostSelector

UNDERTOW-2288 Ignore line breaks inside of predicate and handlers for better readability

UNDERTOW-2325 secure-cookie() handler doesn't pick up directly-added set-cookie headers

UNDERTOW-2335 Add an example of the PredicatesHandler and specifically the predicate handler parser

UNDERTOW-2404 Directory listing has no sort

UNDERTOW-2634 Add mime mappings for mp4, webm, flac, weba, csv and webp

UNDERTOW-2645 Remove uses of javax.security.cert

UNDERTOW-2660 Add RoutingHandler usage example

UNDERTOW-2714 Refactor Session.getSessionManager() -> SessionReference

UNDERTOW-2717 DirectyByteBufferDeallocator should avoid using ThreadLocal

UNDERTOW-2738 Move UndertowOptions to Cookies and clean up method signatures

Bug

UNDERTOW-1794 DefaultAccessLogReceiver violates Closeable contract

UNDERTOW-1874 ProxyForwardedTestCase and ProxyXForwardedTestCase should check results with DefaultServer.getDefaultServerAddress() instead of Socket.getLocalAddress()

UNDERTOW-2157 UndertowOutputStream.transferFrom appears to have a broken signature

UNDERTOW-2194 Cookie parsing/assembling does not work 100% correctly.

UNDERTOW-2269 Encode Query string on forward/include and properly handle merging

UNDERTOW-2358 QueryParameterAttribute doesn't update query string in exchange

UNDERTOW-2359 rewrite() handler does not keep query parameters and query string in sync correctly

UNDERTOW-2590 Support "rspauth" in Digest auth header

UNDERTOW-2594 CVE-2026-28368 Undertow splits header names from values on spaces

UNDERTOW-2595 CVE-2026-28369 Request Smuggling via Malformed HTTP Request Headers

UNDERTOW-2596 CVE-2026-28367 Request smuggling via `\r\r\r` as a header block terminator

UNDERTOW-2603 Quoted values and comma separator cookie parsing is broken

UNDERTOW-2616 request.getParts should throw unwrapped IOException

UNDERTOW-2662 Quoted cookie versions cannot be parsed correctly

UNDERTOW-2675 Make Undertow compatible with RFC6265

UNDERTOW-2686 HttpSession.Accessor can throw ISE if session identifier has since changed

UNDERTOW-2695 Inconsistent processing of different predicates

UNDERTOW-2700 Undertow worker threads stuck on ServletOutputStreamImpl.writeBlocking()

UNDERTOW-2712 The deprecated getRequestCookies() and getResponseCookies() need to return a valid map

Task

UNDERTOW-2103 Enable open ssl building in CI

UNDERTOW-2523 Implement Jakarta Servlet 6.1

UNDERTOW-2646 Move servlet and websockets to Undertow EE

UNDERTOW-2650 Update CI and spotbugs-exclude to exclude ee files

UNDERTOW-2671 Update code headers

UNDERTOW-2684 Add SessionManager.isDistributed()

Library Upgrade

UNDERTOW-2651 Upgrade spot bugs to the latest

UNDERTOW-2725 Upgrade JBoss Threads to 3.9.2

UNDERTOW-2726 Upgrade JBoss Logging to 3.6.2.Final

UNDERTOW-2727 Upgrade Netty to 4.2.10.Final

UNDERTOW-2728 Upgrade Apache Felix Bundle plugin to 6.0.2

UNDERTOW-2730 Upgrade JBoss Class File Writer to 1.3.0.Final

UNDERTOW-2731 Upgrade JBoss Logging Processor to 3.0.0.Final

UNDERTOW-2732 Upgrade JBoss Log Manager to 3.1.2.Final

UNDERTOW-2733 Upgrade WildFly Common to 2.0.1

UNDERTOW-2735 Upgrade Apache HttpComponents to 4.5.14

Sub-task

UNDERTOW-2462 Create a default constant for UndertowOptions.ALLOW_ENCODED_HASH

UNDERTOW-2464 Create a default constant for UndertowOptions.DECODE_URL

UNDERTOW-2465 Fix UndertowOptions.URL_CHARSET Javadoc

UNDERTOW-2466 Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE

UNDERTOW-2467 Create a default constant for UndertowOptions.ALWAYS_SET_DATE

UNDERTOW-2473 Create a default constant for UndertowOptions.ENABLE_HTTP2

UNDERTOW-2474 Create a default constant for UndertowOptions.ENABLE_STATISTICS

UNDERTOW-2475 Mark UndertowOptions.ENABLE_CONNECTOR_STATISTICS for removal

UNDERTOW-2476 Create a default constant for UndertowOptions.ALLOW_UNKNOWN_PROTOCOLS

UNDERTOW-2481 Create a default constant for UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE

UNDERTOW-2483 Mark UndertowOptions.HTTP2_SETTINGS_MAX_HEADER_LIST_SIZE for removal

UNDERTOW-2484 Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE

UNDERTOW-2485 Create a default constant for UndertowOptions.MAX_QUEUED_READ_BUFFERS

UNDERTOW-2491 Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER

UNDERTOW-2492 Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL

UNDERTOW-2494 Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK

UNDERTOW-2495 Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK

UNDERTOW-2635 BufferLeak errors in AbstractFramedChannel.receive()

Clarification

UNDERTOW-2690 Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

Check out latest releases or
releases around undertow-io/undertow 2.4.0.Final

Don't miss a new undertow release

NewReleases is sending notifications on new releases.

Get notifications