Netty 4.2.15.Final 发布:修复漏洞与安全问题,还有这些重大变化!
Netty 是一个异步事件驱动的网络应用框架,主要用于可维护的高性能协议服务器和客户端的快速开发。Netty 4.2.15.Final 现已发布,这是一个修复漏洞和安全问题的版本。
漏洞修复情况
- [CVE-2026-48059](https://github.com/netty/netty/security/advisories/GHSA-h2qv-fj59-j46j):`io.netty:netty-codec-haproxy`内存耗尽(high)
- [CVE-2026-47691](https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85):`io.netty:netty-resolver-dns`中的 DNS 缓存中毒(high)
- [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-563q-j3cm-6jxm):`io.netty:netty-codec-http2`中的 DDoS
- [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-5w86-c3rq-vjj7):`io.netty:netty-codec-redis`内存耗尽(high)
- [CVE-2026-44250](https://github.com/netty/netty/security/advisories/GHSA-3244-j874-rhc2):`io.netty:netty-codec-redis`内存耗尽(high)
- [CVE-2026-44890](https://github.com/netty/netty/security/advisories/GHSA-6ghj-frrj-jjj3):`io.netty:netty-codec-redis`内存耗尽(high)
- [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-cq4q-cv5g-r8q5):`io.netty:netty-codec-classes-quic`中的信息泄露和拒绝服务攻击
- [CVE-2026-44249](https://github.com/netty/netty/security/advisories/GHSA-3qp7-7mw8-wx86):`io.netty:netty-handler`中的 IPv6 subnet filter 绕过(high)
- [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-hvcg-qmg6-jm4c):`io.netty:netty-codec-http`中的 request smuggling
- [CVE-2026-44892](https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2):`io.netty:netty-codec-http3`内存耗尽(high)
- [CVE-2026-44893](https://github.com/netty/netty/security/advisories/GHSA-cc37-9q2j-3hfv):`io.netty:netty-codec-haproxy`内存泄漏(high)
- [CVE-2026-44894](https://github.com/netty/netty/security/advisories/GHSA-cmm3-54f8-px4j):`io.netty:netty-codec-classes-quic`中的 traffic amplification (high)
- [CVE-2026-XXXXX](https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9):`io.netty:netty-handler`中的 TLS 主机名验证意外禁用(high)
- [CVE-2026-45673](https://github.com/netty/netty/security/advisories/GHSA-xmv7-r254-6q78):`io.netty:netty-resolver-dns`中的 DNS 缓存投毒
- [CVE-2026-45416](https://github.com/netty/netty/security/advisories/GHSA-x4gw-5cx5-pgmh):`io.netty:netty-handler`中 SNIHandler 导致的内存使用过量(high)
- [CVE-2026-45536](https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9):`io.netty:netty-transport-native-epoll`和`io.netty:netty-transport-native-kqueue`中的文件描述符泄漏
- [CVE-2026-45674](https://github.com/netty/netty/security/advisories/GHSA-676x-f7gg-47vc):`io.netty:netty-resolver-dns`中的 DNS 缓存中毒(high)
- [CVE-2026-46340](https://github.com/netty/netty/security/advisories/GHSA-5xrh-qmmq-w6ch):`io.netty:netty-transport-sctp`中的内存耗尽(high)
- [CVE-2026-47244](https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q):`io.netty:netty-codec-http2`中的拒绝服务
- [CVE-2026-48006](https://github.com/netty/netty/security/advisories/GHSA-6jv9-x5w9-2ccm):`io.netty:netty-codec-redis`中的内存耗尽(high)
- [CVE-2026-48748](https://github.com/netty/netty/security/advisories/GHSA-4grm-h2qv-h6w6):`io.netty:netty-codec-http3`中的内存耗尽(high)
- [CVE-2026-48043](https://github.com/netty/netty/security/advisories/GHSA-c2gf-v879-257j):`io.netty:netty-codec-http2`中的内存耗尽
其他重大变化
- 修复`io.netty.channel.uring.IoUringIoHandler.wakeup` 中的竞争问题 [#16836](https://github.com/netty/netty/pull/16836)
- HTTP/2:像 Vert.x 一样解析 request-target 路径 [#16810](https://github.com/netty/netty/pull/16810)
- ChannelInitializer:更正关于 exceptionCaught 路由的误导性注释 [#16853 ](https://github.com/netty/netty/pull/16853)
- FlowControlHandler:清空队列后抑制重复的 channelReadComplete 事件 [#16837](https://github.com/netty/netty/pull/16837)
- 将 maxAllocation 传递给 Brotli 和 Zstd 解码器 [#16844](https://github.com/netty/netty/pull/16844)
- 向 ZstdDecoder 添加 maxWindowLog 参数以限制内存分配 [#16850](https://github.com/netty/netty/pull/16850)
- MQTT:拒绝 Remaining Length 不为零的格式错误无有效载荷数据包 [#16890](https://github.com/netty/netty/pull/16890)
更多详情可参阅[完整版本说明](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final)。
)
