Unit 1.34.2 released

Andrew Clayton ac at sigsegv.uk
Mon Mar 3 15:28:12 UTC 2025 

Hi, NGINX Unit community,

We are pleased to announce the release of NGINX Unit 1.34.2

This is a small bugfix release to address issues with the
Java language module websocket code.

This release can be found at

<https://github.com/nginx/unit/releases/tag/1.34.2>

Packages can be found from the Unit website

<https://unit.nginx.org/installation/#official-packages>

Website announcement can be found at

<https://unit.nginx.org/news/2025/unit-1.34.2-released>

Unit 1.34.2 fixes two issues in the Java language module websocket code.

1) It addresses a potential security issue where we could get a negative
   payload length that could cause the Java language module process(es) to
   enter an infinite loop and consume excess CPU. This was a bug carried
   over from the initial Java websocket code import. It has been re-issued
   a CVE number (CVE-2025-1695).

2) It addresses an issue whereby decoded payload lengths would be limited
   to 32 bits.

Both these issues affect Unit versions from 1.11.0 to 1.34.1. If you use
the Java language module with websockets it is strongly suggested to
upgrade.

========================================================================

Changes with Unit 1.34.2                                     26 Feb 2025

    *) Security: fix missing websocket payload length validation in the Java
       language module which could lead to Java language module processes
       consuming excess CPU. (CVE-2025-1695).

    *) Bugfix: fix incorrect websocket payload length calculation in the
       Java language module.


------------------------------------------------------------------------

Changes since 1.34.1 are as follows:

Andrew Clayton (6):
      Version bump
      tools/unitctl: Update for version 1.34.2
      docs/unit-openapi.yaml: Update version for 1.34.2
      pkg/docker: Update dockerfiles for 1.34.2
      docs/changes.xml: Add 1.34.2 changelog entries
      Add 1.34.2 CHANGES

Mark Thomas (2):
      java: websocket: Fix calculation of payload length for > 32bit values
      java: websocket: Additional payload length validation

More information about the unit mailing list