From ac at sigsegv.uk Mon Mar 3 15:28:12 2025 From: ac at sigsegv.uk (Andrew Clayton) Date: Mon, 3 Mar 2025 15:28:12 +0000 Subject: Unit 1.34.2 released Message-ID: <20250303152812.56755092@kappa.digital-domain.net> Hi, NGINX Unit community, We are pleased to announce the release of NGINX Unit 1.34.2 This is a small bugfix release to address issues with the Java language module websocket code. This release can be found at Packages can be found from the Unit website Website announcement can be found at Unit 1.34.2 fixes two issues in the Java language module websocket code. 1) It addresses a potential security issue where we could get a negative payload length that could cause the Java language module process(es) to enter an infinite loop and consume excess CPU. This was a bug carried over from the initial Java websocket code import. It has been re-issued a CVE number (CVE-2025-1695). 2) It addresses an issue whereby decoded payload lengths would be limited to 32 bits. Both these issues affect Unit versions from 1.11.0 to 1.34.1. If you use the Java language module with websockets it is strongly suggested to upgrade. ======================================================================== Changes with Unit 1.34.2 26 Feb 2025 *) Security: fix missing websocket payload length validation in the Java language module which could lead to Java language module processes consuming excess CPU. (CVE-2025-1695). *) Bugfix: fix incorrect websocket payload length calculation in the Java language module. ------------------------------------------------------------------------ Changes since 1.34.1 are as follows: Andrew Clayton (6): Version bump tools/unitctl: Update for version 1.34.2 docs/unit-openapi.yaml: Update version for 1.34.2 pkg/docker: Update dockerfiles for 1.34.2 docs/changes.xml: Add 1.34.2 changelog entries Add 1.34.2 CHANGES Mark Thomas (2): java: websocket: Fix calculation of payload length for > 32bit values java: websocket: Additional payload length validation