Changelog for netty-4.1.94-2.23.x86_64.rpm :

* Fri Jun 23 2023 Fridrich Strba - Upgrade to upstream version 4.1.94
* Fixes of 4.1.94: + Respect offset in io.netty.util.NetUtil#toAddressString(byte[], int, boolean) + Skip finalization for PoolThreadCache instances without small/normal caches + Use network byte order when encoding ipv4 address and port for Socks codecs + Call ReleaseByteArrayElements even when handling of socket_path fails to fix small mem leak + Always enable leak tracking for derived buffers if parent is tracked + Release DnsRecords when failing to notify promise + Delay possibility to reuse transaction id when query is failing because of timeout or cancellation + Implement contains for SelectedSelectionKeySet + Use Two-Way for finding the delimiter in DelimiterBasedFrameDecoder + Obtain the local address from the fd when the client connects only with remote address (UDS) + Allow to limit the maximum lenght of the ClientHello (bsc#1212637, CVE-2023-34462)
* Fixes of 4.1.93: + Reset byte buffer in loop for AbstractDiskHttpData.setContent + OpenSSL MAX_CERTIFICATE_LIST_BYTES option supported + Adapt to DirectByteBuffer constructor in Java 21 + HTTP/2 encoder: allow HEADER_TABLE_SIZE greater than Integer.MAX_VALUE + Upgrade to latest netty-tcnative to fix memory leak + H2/H2C server stream channels deactivated while write still in progress + Channel#bytesBefore(un)writable off by 1 + HTTP/2 should forward shutdown user events to active streams + Respect the number of bytes read per datagram when using recvmmsg
* Fixes of 4.1.92: + Make Recycler faster on OpenJ9 + Allow to change the limit for the maximum size of the certificate chain. + Guard against unbounded grow of suppressed exceptions storage + Release websocket handshake response if pipeline checks fail + Add support for local and remote addresses on the server for child channels when UDS + Http types slow path checks
* Fixes of 4.1.91: + Fire a PrematureChannelClosureException when Channel is closed while aggregating is still in progress + Connect without password if server returns NO_AUTH when using Socks5 + Use optional resolution of sun.net.dns + Introduce Http2MultiplexActiveStreamsException that can be used to propagate an error to all active streams + Use the correct error when reset a stream + Update: Add snappy support on HttpContentDecoder + Don\'t unwrap multiple records until we notified the caller about the finished handshake + Handle EHOSTUNREACH errors in io.netty.channel.unix.Errors- Depend on netty-tcnative >= 2.0.60 for SSLContext.setMaxCertList method.- Rebased patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Disable-Brotli-and-ZStd-compression.patch
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch
* 0007-Do-not-require-the-tcnative-native-library.patch
* Thu Mar 30 2023 Fridrich Strba - Upgrade to upstream version 4.1.90
* Fixes of 4.1.90: + Adding header name of the header which failed validation + Fix HttpHeaders.names for non-String headers + Save expensive volatile operations in the common hot http decoder path + Avoid slow type checks against promises on outbound buffer\'s progress + Implement NonStickyEventExecutorGroup.inEventLoop + Native image: add support for unix domain sockets + Use MacOS SDK 10.9 to prevent apple notarization failures + Increase errno cache and guard against IOOBE + Don\'t reset BCSSLParameters when setting application protocols + WebSocketClientProtocolHandler: add option to disable UTF8 validation + Chunked HTTP length decoding should account for whitespaces/ctrl chars + Handle NullPointerException thrown from NetworkInterface.getNetworkInterfaces()
* Fixes of 4.1.89: + Don\'t fail on HttpObjectDecoder\'s maxHeaderSize greater then (Integer.MAX_VALUE - 2) + dyld: Symbol not found: _netty_jni_util_JNI_OnLoad when upgrading from 4.1.87.Final to 4.1.88.Final
* Fixes of 4.1.88: + Speed-up HTTP 1.1 header and line parsing + Add StacklessSSLHandshakeException for ClosedChannelException + Modify changed CloseWebSocketFrame#statusCode() to change the fetch code to unsigned + Check if CommandLineTools are installed before trying to execute install_name_tool + Allow to adjust the GlobalEventExecutor quietPeriod via a system property + Add SslProvider.isOptionSupported(...) + Fix FlowControlHandler\'s behaviour to pass read events when auto-reading is turned off + Ensure Http2StreamFrameToHttpObjectCodec#decode doesn\'t add transfer-encoding for 204/304 response + Only do extra CNAME query if we couldnt follow the whole CNAME chain in the response + Include query id when a query failed + DnsResolveContext: include expected record types in exception message + Add necessary native-image configuration files for epoll + Create a deep-copy of the Throwable before returning it from the cache to prevent possible leaks + Always respect completeOncePreferredResolved in DnsNameResolver + fix brotli compression + Optionally depend on bctls-jdk15on + Make releasing objects back to Recycler faster + Correctly keep track of validExtensions per request / response + Add handling of inflight lookups to reduce real queries when lookup same hostname + DnsQueryContext: include query id and question info in exception message + AsciiStrings can be batch-encoded
* Fixes of 4.1.87: + Upgrade to latest netty-tcnative release which doesnt link libcrypt + Add recvmmsg & sendmmsg syscall number for loongarch64 + Return correct value from SSLSession.getPacketSize() when using native SSL implementation + Explicit disable TLSv1.3 in the OpenSSL options if not supported + Support handshake timeout in SniHandler. + Extend DNS address supplier interface to provide feedback
* Fixes of 4.1.86: + HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360, CVE-2022-41881) + HTTP Response splitting from assigning header value iterator (bsc#1206379, CVE-2022-41915) + Revert #12888 for potential task scheduling problems in HashedWheelTimer + Deprecate ObjectEncoder/ObjectDecoder + HPACK dynamic table size update must happen at the beginning of the header block
* Fixes of 4.1.85: + A bug in FlowControlHandler that broke auto-read has been fixed + The HTTP/2 HPACK encoder is now faster at encoding headers that have many values + A potential memory leak bug has been fixed in the pooled allocator + Fix an issue with the Blockhound integration, which could cause the MacOSDnsServerAddressStreamProvider to be flagged as making blocking calls + Inconsitencies in how epoll, kqueue, and NIO handle RDHUP have been fixed + ByteToMessageDecoder now handle situations where the same ByteBuf instance is read multiple times + The check that ensures the HTTP/1 Content-Length header is unique, now no longer causes headers to be rearranged (change their order) + Fix a NullPointerException bug with class initialisation order between InternalLogger and InternalThreadLocalMap + When the netty-resolver-dns-native-macos classes can\'t load their native bindings, they now only print a short error message instead of the huge stack trace it printed previously. The stack trace is still included if DEBUG logging is enabled + The Graal native-image meta-data is now placed in the recommended location, and no longer causes warnings to be printed + The HTTP/1 and HTTP/2 codecs now properly support RFC 8297 Early Hints + Subclasses of FastThreadLocalThread can now tell the Netty Blockhound integration that they should be allowed to make blocking calls + Validation of HTTP/2 connection headers have been moved from Http2Headers to HpackDecoder, so that outgoing headers are not validated
* Fixes of 4.1.84: + HTTP/2 header values with invalid characters are now rejected in header validation + We now automatically generate conditional meta-data for native-image use, making GraalVM support more reliable + Fix a scalability issue caused by instanceof and check-cast checks that lead to false-sharing on the Klass::secondary_super_cache field in the JVM (See JDK-8180450) + Made the HTTP/2 HPACK static table implementation faster by using a perfect hash function + Fixed a bug in our PEMParser when PEM files have multiple objects, and BouncyCastle is on the classpath
* Fixes of 4.1.82: + Fix a NullPointerException bug when calling forEachByte on nested CompositeByteBufs + Relax an overly strict HTTP/2 header validation check that was rejecting requests from Chrome and Firefox + The OpenSSL and BoringSSL implementations now respect the jdk.tls.client.protocols and jdk.tls.server.protocols system properties, making them react to these in the same way the JDK SSL provider does
* Fixes of 4.1.81: + Fix a regression SslContext private key loading + Fix a bug in SslContext private key reading fall-back path + Fix a buffer leak regression in HttpClientCodec + Fix a bug where some HttpMessage implementations, that also implement HttpContent, were not handled correctly + The MessageFormatter and FormattingTuple classes are now usable in the public API + Connection related headers in HTTP/2 frames are now rejected, in compliance with the specification
* Fixes of 4.1.80: + HttpObjectEncoder scalability issue due to instanceof checks + Improve logging when MacOSDnsServerAddressStreamProvider cannot be found/loaded + Replace stdlib write/read with send/recv + Support for pkcs1 + Add Blockhound exceptions for the PooledByteBufAllocator + Fix epoll bug when receiving zero-sized datagrams + Avoid including header values in header validation failure exceptions + Avoid allocating large buffers in JdkZlibEncoder + Native Image Support: Set IS_EXPLICIT_TRY_REFLECTION_SET_ACCESSIBLE to true by default for native images + We need to use disconnectx(...) on macOS + Replace synchronized with Java Locks on the allocator + Don\'t use static instances of FixedRecvByteBufAllocator + Add escaping for stomp headers
* Fixes of 4.1.79: + The PEM certificate parser is no longer susceptible to exponential back-off + Non-standard extra ampersands in HTTP POST bodies are no longer rejected + An io.netty.osClassifiers system property has been added to avoid reading os-release files + Fix a bug in SslHandler so handlerRemoved works properly even if handlerAdded throws an exception + Use the correct OSGi processor directive on aarch64, making it possible to use OSGi on ARM + HTTP paths that begin with a double-slash are now parsed the same way browsers do + The isCompleted flag is now correctly preserved on objects from HttpData.retainedDuplicate() + The HttpUtil.isOriginForm() and isAsteriskForm() methods now correctly conform with RFC 7230 + Fix an issue that allowed the multicast methods on EpollDatagramChannel to be called outside of an event-loop thread + Support for the LoongArch64 processor architecture has been added
* Fixes of 4.1.78: + Fix a bug where an OPT record was added to DNS queries that already had such a record + Fix a bug that caused an error when files uploaded with HTTP POST contained a backslash in their name + Fix an issue in the BlockHound integration that could occasionally cause NetUtil to be reported as performing blocking operations + A similar BlockHound issue was fixed for the JdkSslContext + Fix a bug that prevented preface or settings frames from being flushed, when an HTTP2 connection was established with prior-knowledge + Fixes a rare NullPointerException that could occur when a ReferenceCountedOpenSslEngine threw an OutOfMemoryError from its constructor, and was then later finalized + The SslHandler now adds the socket file descriptor to the BIOs, when the SslEngine supports this (boringssl and libressl), which allow tracing and observability tools to monitor encryption traffic on a per-connection basis. + It is now possible to explicitly step the scheduling clock in EmbeddedEventLoop, which is useful for making automated tests with deterministic scheduling
* Fixes of 4.1.77: + Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for Java 6 and lower in io.netty:netty-codec-http (bsc#1199338, CVE-2022-24823) + Upgraded the optional netty-tcnative dependency to version 2.0.52.Final + Fix a bug where Netty fails to load a shaded native library + Include classifier in Automatic-Module-Name + Check if epoll_pwait2 is implemented + Don\'t call strdup on packagePrefix + Enable debugging of asynchronous tasks in Intellij + Throwing an exception in case glibc is missing instead of segfaulting the JVM
* Fixes of 4.1.76: + Upgraded the optional netty-tcnative dependency to version 2.0.51.Final + Upgraded the optional log4j dependency to version 2.17.2 + The netty-all module now declare an automatic module name, making it useable with Java Modules. + It is now possible to configure arbitrary socket options for the native epoll and kqueue transports. Refer to your operating system documentation for what options are available. + It is now possible to explicitly bind channels to either IPv4 or IPv6. + The HTTP/2 header validation that rejects duplicate pseudo-headers, which was added in 4.1.75.Final, has been changed so it no longer breaks older versions of gRPC. \" Fix a NullPointerException that was hiding the real cause of certain HTTP/2 header decoding errors.- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* no-brotli-zstd.patch - > 0004-Disable-Brotli-and-ZStd-compression.patch
* no-werror.patch + rebase- Removed patches:
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch + we have the dependencies, so no need to disable them
* 0006-revert-Fix-native-image-build.patch
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch + solve the build breakages differently- Added patches:
* 0005-Do-not-use-the-Graal-annotations.patch
* 0006-Do-not-use-the-Jetbrains-annotations.patch + do not use annotations for which we don\'t have dependencies
* 0007-Do-not-require-the-tcnative-native-library.patch + our tcnative library is installed system-wide
* Thu Oct 13 2022 Fridrich Strba - Force building with java 11 on ix86 in order to avoid random build failures
* Fri Apr 08 2022 Fridrich Strba - Upgrade to latest upstream version 4.1.75- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
* 0006-revert-Fix-native-image-build.patch
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch + rebase
* Tue Feb 22 2022 Fridrich Strba - Do not build against the log4j12 packages
* Tue Dec 14 2021 Fridrich Strba - Upgrade to latest upstream version 4.1.72
* fixes: bsc#1190610, CVE-2021-37136: Bzip2Decoder doesn\'t allow setting size restrictions for decompressed data
* fixes: bsc#1190613, CVE-2021-37137: SnappyFrameDecoder doesn\'t restrict chunk length any may buffer skippable chunks in an unnecessary way
* fixes: bsc#1193672, CVE-2021-43797: possible HTTP request smuggling due to insufficient validation against control characters
* fixes: bsc#1184203, CVE-2021-21409: request smuggling via content-length header- Modified patches:
* 0001-Remove-optional-dep-Blockhound.patch
* 0002-Remove-optional-dep-conscrypt.patch
* 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
* 0004-Remove-optional-dep-tcnative.patch
* 0005-Remove-optional-dep-log4j.patch
* 0006-revert-Fix-native-image-build.patch
* 0007-Revert-Support-session-cache-for-client-and-server-w.patch
* no-werror.patch + rediff to changed context- Added patch:
* no-brotli-zstd.patch + disable Brotli and Zstd compression, since we lack the dependencies needed to build them