Released on 2021-06-29.
Ratpack 1.9.0 is now available!
This release contains the following security fixes:
- Cached redirect poisoning via X-Forwarded-Host header
- Default client side session signing key is highly predictable
- Client side sessions should not allow unencrypted storage
- Remote Code Execution Vulnerability in Session Storage
In response to “Remote Code Execution Vulnerability in Session Storage”, all session objects must now be registered with an explicit allow list to facilitate deserialization. All users of the
ratpack-session module are recommended to read the advisory for details.
Special thanks to Jonathan Leitschuh for reporting and advising on the above issues.
Please also see the additional changes and fixes listed below.
We hope you enjoy Ratpack 1.9.0.
Pull Requests (9)
-  - Properly handling Expect: 100-continue when request streaming as proxy. (johnrengelman)
-  - Use netty nio DNS resolver by default in HttpClient (johnrengelman)
-  - Update Netty to 4.1.50 (amityatagiri)
-  - Add Predicate and Class onError handlers to Operation (timyates)
-  - Remove lazybones (ldaley)
-  - Use relative redirects and don't infer the public address (ldaley)
-  - Use random UUID for default client side session encryption secret (ldaley)
-  - Require registration of types before they can be used in a session (ldaley)
-  - Update to Gradle Enterprise Gradle Plugin 3.6 (runningcode)