File netty.changes of Package netty.28292

Overview Repositories Revisions Requests Users Attributes Meta

File netty.changes of Package netty.28292

-------------------------------------------------------------------
Thu Mar 30 16:49:51 UTC 2023 - Fridrich Strba <fstrba@suse.com>

- Upgrade to upstreeam version 4.1.90
  * Fixes of 4.1.90:
    + Adding header name of the header which failed validation
    + Fix HttpHeaders.names for non-String headers
    + Save expensive volatile operations in the common hot http
      decoder path
    + Avoid slow type checks against promises on outbound buffer's
      progress
    + Implement NonStickyEventExecutorGroup.inEventLoop
    + Native image: add support for unix domain sockets
    + Use MacOS SDK 10.9 to prevent apple notarization failures
    + Increase errno cache and guard against IOOBE
    + Don't reset BCSSLParameters when setting application protocols
    + WebSocketClientProtocolHandler: add option to disable UTF8
      validation
    + Chunked HTTP length decoding should account for
      whitespaces/ctrl chars
    + Handle NullPointerException thrown from
      NetworkInterface.getNetworkInterfaces()
  * Fixes of 4.1.89:
    + Don't fail on HttpObjectDecoder's maxHeaderSize greater then
      (Integer.MAX_VALUE - 2)
    + dyld: Symbol not found: _netty_jni_util_JNI_OnLoad when
      upgrading from 4.1.87.Final to 4.1.88.Final
  * Fixes of 4.1.88:
    + Speed-up HTTP 1.1 header and line parsing
    + Add StacklessSSLHandshakeException for ClosedChannelException
    + Modify changed CloseWebSocketFrame#statusCode() to change the
      fetch code to unsigned
    + Check if CommandLineTools are installed before trying to
      execute install_name_tool
    + Allow to adjust the GlobalEventExecutor quietPeriod via a
      system property
    + Add SslProvider.isOptionSupported(...)
    + Fix FlowControlHandler's behaviour to pass read events when
      auto-reading is turned off
    + Ensure Http2StreamFrameToHttpObjectCodec#decode doesn't add
      transfer-encoding for 204/304 response
    + Only do extra CNAME query if we couldnt follow the whole CNAME
      chain in the response
    + Include query id when a query failed
    + DnsResolveContext: include expected record types in exception
      message
    + Add necessary native-image configuration files for epoll
    + Create a deep-copy of the Throwable before returning it from
      the cache to prevent possible leaks
    + Always respect completeOncePreferredResolved in
      DnsNameResolver
    + fix brotli compression
    + Optionally depend on bctls-jdk15on
    + Make releasing objects back to Recycler faster
    + Correctly keep track of validExtensions per request / response
    + Add handling of inflight lookups to reduce real queries when
      lookup same hostname
    + DnsQueryContext: include query id and question info in
      exception message
    + AsciiStrings can be batch-encoded
  * Fixes of 4.1.87:
    + Upgrade to latest netty-tcnative release which doesnt link
      libcrypt
    + Add recvmmsg & sendmmsg syscall number for loongarch64
    + Return correct value from SSLSession.getPacketSize() when
      using native SSL implementation
    + Explicit disable TLSv1.3 in the OpenSSL options if not
      supported
    + Support handshake timeout in SniHandler.
    + Extend DNS address supplier interface to provide feedback
  * Fixes of 4.1.86:
    + HAProxyMessageDecoder Stack Exhaustion DoS (bsc#1206360,
      CVE-2022-41881)
    + HTTP Response splitting from assigning header value iterator
      (bsc#1206379, CVE-2022-41915)
    + Revert #12888 for potential task scheduling problems in
      HashedWheelTimer
    + Deprecate ObjectEncoder/ObjectDecoder
    + HPACK dynamic table size update must happen at the beginning
      of the header block
  * Fixes of 4.1.85:
    + A bug in FlowControlHandler that broke auto-read has been
      fixed
    + The HTTP/2 HPACK encoder is now faster at encoding headers
      that have many values
    + A potential memory leak bug has been fixed in the pooled
      allocator
    + Fix an issue with the Blockhound integration, which could
      cause the MacOSDnsServerAddressStreamProvider to be flagged
      as making blocking calls
    + Inconsitencies in how epoll, kqueue, and NIO handle RDHUP have
      been fixed
    + ByteToMessageDecoder now handle situations where the same
      ByteBuf instance is read multiple times
    + The check that ensures the HTTP/1 Content-Length header is
      unique, now no longer causes headers to be rearranged (change
      their order)
    + Fix a NullPointerException bug with class initialisation order
      between InternalLogger and InternalThreadLocalMap
    + When the netty-resolver-dns-native-macos classes can't load
      their native bindings, they now only print a short error
      message instead of the huge stack trace it printed previously.
      The stack trace is still included if DEBUG logging is enabled
    + The Graal native-image meta-data is now placed in the
      recommended location, and no longer causes warnings to be
      printed
    + The HTTP/1 and HTTP/2 codecs now properly support RFC 8297
      Early Hints
    + Subclasses of FastThreadLocalThread can now tell the Netty
      Blockhound integration that they should be allowed to make
      blocking calls
    + Validation of HTTP/2 connection headers have been moved from
      Http2Headers to HpackDecoder, so that outgoing headers are
      not validated
  * Fixes of 4.1.84:
    + HTTP/2 header values with invalid characters are now rejected
      in header validation
    + We now automatically generate conditional meta-data for
      native-image use, making GraalVM support more reliable
    + Fix a scalability issue caused by instanceof and check-cast
      checks that lead to false-sharing on the
      Klass::secondary_super_cache field in the JVM
      (See JDK-8180450)
    + Made the HTTP/2 HPACK static table implementation faster by
      using a perfect hash function
    + Fixed a bug in our PEMParser when PEM files have multiple
      objects, and BouncyCastle is on the classpath
  * Fixes of 4.1.82:
    + Fix a NullPointerException bug when calling forEachByte on
      nested CompositeByteBufs
    + Relax an overly strict HTTP/2 header validation check that was
      rejecting requests from Chrome and Firefox
    + The OpenSSL and BoringSSL implementations now respect the
      jdk.tls.client.protocols and jdk.tls.server.protocols system
      properties, making them react to these in the same way the JDK
      SSL provider does
  * Fixes of 4.1.81:
    + Fix a regression SslContext private key loading
    + Fix a bug in SslContext private key reading fall-back path
    + Fix a buffer leak regression in HttpClientCodec
    + Fix a bug where some HttpMessage implementations, that also
      implement HttpContent, were not handled correctly
    + The MessageFormatter and FormattingTuple classes are now
      usable in the public API
    + Connection related headers in HTTP/2 frames are now rejected,
      in compliance with the specification
  * Fixes of 4.1.80:
    + HttpObjectEncoder scalability issue due to instanceof checks
    + Improve logging when MacOSDnsServerAddressStreamProvider
      cannot be found/loaded
    + Replace stdlib write/read with send/recv
    + Support for pkcs1
    + Add Blockhound exceptions for the PooledByteBufAllocator
    + Fix epoll bug when receiving zero-sized datagrams
    + Avoid including header values in header validation failure
      exceptions
    + Avoid allocating large buffers in JdkZlibEncoder
    + Native Image Support: Set
      IS_EXPLICIT_TRY_REFLECTION_SET_ACCESSIBLE to true by default
      for native images
    + We need to use disconnectx(...) on macOS
    + Replace synchronized with Java Locks on the allocator
    + Don't use static instances of FixedRecvByteBufAllocator
    + Add escaping for stomp headers
  * Fixes of 4.1.79:
    + The PEM certificate parser is no longer susceptible to
      exponential back-off
    + Non-standard extra ampersands in HTTP POST bodies are no
      longer rejected
    + An io.netty.osClassifiers system property has been added to
      avoid reading os-release files
    + Fix a bug in SslHandler so handlerRemoved works properly even
      if handlerAdded throws an exception
    + Use the correct OSGi processor directive on aarch64, making it
      possible to use OSGi on ARM
    + HTTP paths that begin with a double-slash are now parsed the
      same way browsers do
    + The isCompleted flag is now correctly preserved on objects
      from HttpData.retainedDuplicate()
    + The HttpUtil.isOriginForm() and isAsteriskForm() methods now
      correctly conform with RFC 7230
    + Fix an issue that allowed the multicast methods on
      EpollDatagramChannel to be called outside of an event-loop
      thread
    + Support for the LoongArch64 processor architecture has been
      added
  * Fixes of 4.1.78:
    + Fix a bug where an OPT record was added to DNS queries that
      already had such a record
    + Fix a bug that caused an error when files uploaded with HTTP
      POST contained a backslash in their name
    + Fix an issue in the BlockHound integration that could
      occasionally cause NetUtil to be reported as performing
      blocking operations
    + A similar BlockHound issue was fixed for the JdkSslContext
    + Fix a bug that prevented preface or settings frames from
      being flushed, when an HTTP2 connection was established with
      prior-knowledge
    + Fixes a rare NullPointerException that could occur when a
      ReferenceCountedOpenSslEngine threw an OutOfMemoryError from
      its constructor, and was then later finalized
    + The SslHandler now adds the socket file descriptor to the
      BIOs, when the SslEngine supports this (boringssl and
      libressl), which allow tracing and observability tools to
      monitor encryption traffic on a per-connection basis.
    + It is now possible to explicitly step the scheduling clock in
      EmbeddedEventLoop, which is useful for making automated tests
      with deterministic scheduling
  * Fixes of 4.1.77:
    + Local Information Disclosure Vulnerability in Netty on
      Unix-Like systems due temporary files for Java 6 and lower in
      io.netty:netty-codec-http (bsc#1199338, CVE-2022-24823)
    + Upgraded the optional netty-tcnative dependency to version
      2.0.52.Final
    + Fix a bug where Netty fails to load a shaded native library
    + Include classifier in Automatic-Module-Name
    + Check if epoll_pwait2 is implemented
    + Don't call strdup on packagePrefix
    + Enable debugging of asynchronous tasks in Intellij
    + Throwing an exception in case glibc is missing instead of
      segfaulting the JVM
  * Fixes of 4.1.76:
    + Upgraded the optional netty-tcnative dependency to version
      2.0.51.Final
    + Upgraded the optional log4j dependency to version 2.17.2
    + The netty-all module now declare an automatic module name,
      making it useable with Java Modules.
    + It is now possible to configure arbitrary socket options for
      the native epoll and kqueue transports. Refer to your
      operating system documentation for what options are available.
    + It is now possible to explicitly bind channels to either IPv4
      or IPv6.
    + The HTTP/2 header validation that rejects duplicate
      pseudo-headers, which was added in 4.1.75.Final, has been
      changed so it no longer breaks older versions of gRPC.
    " Fix a NullPointerException that was hiding the real cause of
      certain HTTP/2 header decoding errors.
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * no-brotli-zstd.patch
    -> 0004-Disable-Brotli-and-ZStd-compression.patch
  * no-werror.patch
    + rebase
- Removed patches:
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
    + we have the dependencies, so no need to disable them
  * 0006-revert-Fix-native-image-build.patch
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
    + solve the build breakages differently
- Added patches:
  * 0005-Do-not-use-the-Graal-annotations.patch
  * 0006-Do-not-use-the-Jetbrains-annotations.patch
    + do not use annotations for which we don't have dependencies
  * 0007-Do-not-require-the-tcnative-native-library.patch
    + our tcnative library is installed system-wide

-------------------------------------------------------------------
Thu Oct 13 11:21:47 UTC 2022 - Fridrich Strba <fstrba@suse.com>

- Force building with java 11 on ix86 in order to avoid random
  build failures

-------------------------------------------------------------------
Fri Apr  8 07:27:55 UTC 2022 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.75
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
  * 0006-revert-Fix-native-image-build.patch
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
    + rebase

-------------------------------------------------------------------
Tue Feb 22 18:27:07 UTC 2022 - Fridrich Strba <fstrba@suse.com>

- Do not build against the log4j12 packages

-------------------------------------------------------------------
Tue Dec 14 06:31:10 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.72
  * fixes: bsc#1190610, CVE-2021-37136: Bzip2Decoder doesn't allow
    setting size restrictions for decompressed data
  * fixes: bsc#1190613, CVE-2021-37137: SnappyFrameDecoder doesn't
    restrict chunk length any may buffer skippable chunks in an
    unnecessary way
  * fixes: bsc#1193672, CVE-2021-43797: possible HTTP request
    smuggling due to insufficient validation against control
    characters
  * fixes: bsc#1184203, CVE-2021-21409: request smuggling via
    content-length header
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
  * 0006-revert-Fix-native-image-build.patch
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
  * no-werror.patch
    + rediff to changed context
- Added patch:
  * no-brotli-zstd.patch
    + disable Brotli and Zstd compression, since we lack
      the dependencies needed to build them

-------------------------------------------------------------------
Fri Mar 12 08:31:56 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.60
  * fixes: bsc#1183262, CVE-2021-21295: HTTP/2 request
    Content-Length header field is not validated by
    'Http2MultiplexHandler'
- Modified patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
  * 0006-revert-Fix-native-image-build.patch
    + rediff to changed context
- Added patch:
  * 0007-Revert-Support-session-cache-for-client-and-server-w.patch
    + revert optional disabled cache implementation that conflicts
      with our 0004-Remove-optional-dep-tcnative.patch

-------------------------------------------------------------------
Thu Feb 11 12:00:22 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Upgrade to latest upstream version 4.1.59
- Removed patches:
  * netty-CVE-2020-11612.patch
  * netty-CVE-2021-21290.patch
    + fixes integrated in the upstream sources
  * 0001-Remove-OpenSSL-parts-depending-on-tcnative.patch
  * 0002-Remove-NPN.patch
  * 0003-Remove-conscrypt-ALPN.patch
  * 0004-Remove-jetty-ALPN.patch
    + replaced by new patches
- Added patches:
  * 0001-Remove-optional-dep-Blockhound.patch
  * 0002-Remove-optional-dep-conscrypt.patch
  * 0003-Remove-optional-deps-jetty-alpn-and-npn.patch
  * 0004-Remove-optional-dep-tcnative.patch
  * 0005-Remove-optional-dep-log4j.patch
    + remove various optional dependencies that we do not need
  * 0006-revert-Fix-native-image-build.patch
    + Revert changes that introduce a new dependency that we
      do not have
  * no-werror.patch
    + Do not treat warnings as errors
- Build -poms and -javadoc as noarch packages, since they do not
  install anything in arch-dependent directories

-------------------------------------------------------------------
Thu Feb 11 09:20:25 UTC 2021 - Fridrich Strba <fstrba@suse.com>

- Added patch:
  * netty-CVE-2021-21290.patch
    + bsc#1182103, CVE-2021-21290

-------------------------------------------------------------------
Thu Apr  9 07:54:00 UTC 2020 - Fridrich Strba <fstrba@suse.com>

- Added patch:
  * netty-CVE-2020-11612.patch
    + bsc#1168932, CVE-2020-11612
    + bsc#1169082, CVE-2020-10707

-------------------------------------------------------------------
Thu Jan  9 15:14:41 UTC 2020 - Fridrich Strba <fstrba@suse.com>

- Split pom-only artifacts into a subpackage netty-pom in order
  to generate their dependencies correctly

-------------------------------------------------------------------
Wed Nov 13 19:18:57 UTC 2019 - Fridrich Strba <fstrba@suse.com>

- Initial packaging of netty 4.1.13

Places

File netty.changes of Package netty.28292

Places