Version 1.9.0
Released on 2021-06-29.
Ratpack 1.9.0 is now available!
This release contains the following security fixes:
- Cached redirect poisoning via X-Forwarded-Host header
- Default client side session signing key is highly predictable
- Client side sessions should not allow unencrypted storage
- Remote Code Execution Vulnerability in Session Storage
In response to “Remote Code Execution Vulnerability in Session Storage”, all session objects must now be registered with an explicit allow list to facilitate deserialization. All users of the ratpack-session module are recommended to read the advisory for details.
Special thanks to Jonathan Leitschuh for reporting and advising on the above issues.
Please also see the additional changes and fixes listed below.
We hope you enjoy Ratpack 1.9.0.
Links
Pull Requests (9)
- [1560] - Properly handling Expect: 100-continue when request streaming as proxy. (johnrengelman)
- [1581] - Use netty nio DNS resolver by default in HttpClient (johnrengelman)
- [1583] - Update Netty to 4.1.50 (amityatagiri)
- [1584] - Add Predicate and Class onError handlers to Operation (timyates)
- [1586] - Remove lazybones (ldaley)
- [1589] - Use relative redirects and don't infer the public address (ldaley)
- [1590] - Use random UUID for default client side session encryption secret (ldaley)
- [1592] - Require registration of types before they can be used in a session (ldaley)
- [1593] - Update to Gradle Enterprise Gradle Plugin 3.6 (runningcode)
Resolved Issues (4)
- [1552] - Client side session module does not allow setting last access time cookie name
- [1559] - Ratpack reverse-proxy failed on 100-continue response
- [1596] - RequestSpec.onRedirect functions are not always execution bound
- [1598] - Impositions should layer instead of being completely overwritten by nearest