diff --git a/docs/src/main/paradox/release-notes.md b/docs/src/main/paradox/release-notes.md index 241a31fa9a0..529be4ca0bc 100644 --- a/docs/src/main/paradox/release-notes.md +++ b/docs/src/main/paradox/release-notes.md @@ -1,5 +1,76 @@ # Release Notes +## 10.0.6 + +See the [announcement](http://akka.io/news/2017/05/03/akka-http-10.0.6-released.html) and +closed tickets on the [10.0.6 milestone](https://github.com/akka/akka-http/milestone/23?closed=1). + +10.0.6 is a security and maintenance release in the stable 10.0.x series of Akka HTTP. + +@@@ warning + +This release contains a fix for a serious security vulnerability that allows a remote attacker to shut down any Akka +HTTP application using the routing DSL. See the +@ref[details](security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md) for more information. +Please update as soon as possible. + +@@@ + +### List of Changes + +#### Improvements + +##### akka-http-core + * Make response parser more relaxed on accepting status line without reason message ([#981](https://github.com/akka/akka-http/issues/981)) + * Use media type parameters in content negotiation ([#963](https://github.com/akka/akka-http/issues/963)) + * Small performance improvements ([#999](https://github.com/akka/akka-http/issues/999), [#1032](https://github.com/akka/akka-http/issues/1032)) + * Added `HttpMessage.transformEntityDataBytes` ([#771](https://github.com/akka/akka-http/issues/771)) + * Allow binding server with HTTP/2 support via configuration flag with `Http().bindAndHandleAsync` ([#463](https://github.com/akka/akka-http/issues/463)) + +##### akka-http + + * Make marshaller composition more lazy to prevent redundant marshalling when using `Marshaller.oneOf` ([#1019](https://github.com/akka/akka-http/issues/1019)) + * Allow Java-implemented ContentTypeResolver ([#360](https://github.com/akka/akka-http/issues/360)) + * Java DSL routing `complete` now has override that takes`ResponseEntity` as a parameter instead of `RequestEntity` ([#982](https://github.com/akka/akka-http/issues/982)) + * Improved usage and documentation of Encoder / Decoder on the Scala and Java side ([#771](https://github.com/akka/akka-http/issues/771)) + +##### akka-http2-support + + * Refactoring: move handling of per-stream frames to dedicated state handlers ([#1064](https://github.com/akka/akka-http/issues/1064)) + +##### Documentation + + * Provide Decoding Response example for Java ([#760](https://github.com/akka/akka-http/issues/760)) + * Add Java example to extract header value with default value ([#639](https://github.com/akka/akka-http/issues/639)) + * Add HTTP custom method example ([#954](https://github.com/akka/akka-http/issues/954)) + * Smaller fixes and additions + +##### Build + Infrastructure + + * Add OSGi to project in order to release each project with OSGi bundle headers ([#574](https://github.com/akka/akka-http/issues/574)) + * Rename root project to 'akka-http-root' ([#1030](https://github.com/akka/akka-http/issues/1030)) + +#### Bug Fixes + +##### akka-http-core + + * Ignore unsupported `*/xyz` media types ([#1072](https://github.com/akka/akka-http/issues/1072)) + * Exclude port when rendering X-Forwarded-For and X-Real-Ip headers ([#440](https://github.com/akka/akka-http/issues/440)) + * Fix NPE when accessing static Java constant fields ([#936](https://github.com/akka/akka-http/issues/936)) + * Make sure pool log messages have "PoolGateway" set as logClass for easier filtering ([#1013](https://github.com/akka/akka-http/issues/1013)) + +##### akka-http + + * Move special non-2xx handling from RequestContextImpl to fromStatusCodeAndHeadersAndValue marshaller ([#1072](https://github.com/akka/akka-http/issues/1072)) + * Handle failure while parsing the URI in parameter extraction ([#1043](https://github.com/akka/akka-http/issues/1043)) + * Make `extractStrictEntity` provide strict entity for inner routes ([#961](https://github.com/akka/akka-http/issues/961)) + * Enable javadsl to unmarshal with default `ExecutionContext` ([#967](https://github.com/akka/akka-http/issues/967)) + * Smaller fixes for `HttpApp` + +##### akka-http2-support + + * Fix memory leak in ALPN switcher ([#886](https://github.com/akka/akka-http/issues/886)) + ## 10.0.5 See the [announcement](http://akka.io/news/2017/03/17/akka-http-10.0.5-released.html) and @@ -9,7 +80,7 @@ This is the fifth maintenance release of the Akka HTTP 10.0 series. It is primar ### List of Changes -#### Improvements: +#### Improvements ##### akka-http-core * New docs and API for registering custom headers with JavaDSL ([#761](https://github.com/akka/akka-http/issues/761)) @@ -20,7 +91,7 @@ This is the fifth maintenance release of the Akka HTTP 10.0 series. It is primar ##### akka-http * Unmarshal.to now uses the materializer ExecutionContext if no other provided implicitly ([#947](https://github.com/akka/akka-http/pull/947)) -#### Bug fixes: +#### Bug Fixes ##### akka-http-core * Prevent longer-than-needed lingering streams by fixing DelayCancellationStage ([#945](https://github.com/akka/akka-http/issues/945)) @@ -60,7 +131,7 @@ See [#851](https://github.com/akka/akka-http/issues/851) for more information. * New documentation page about how to deal with the client-side `max-open-requests` exception ([39f36dd](https://github.com/akka/akka-http/commit/39f36dd)) * Lots of small cleanups and improvements -#### Bug fixes +#### Bug Fixes ##### akka-http-core * Fix a regression introduced in 10.0.3 that might lead to memory leaking after a server connection has been closed. ([#851](https://github.com/akka/akka-http/issues/851)) @@ -116,7 +187,7 @@ previous behavior so we are listing them here to bring attention to potential is * Lots of larger and smaller improvements to Http2 support -#### Bugfixes +#### Bug Fixes ##### akka-http-core: diff --git a/docs/src/main/paradox/security.md b/docs/src/main/paradox/security.md index 2ed7d0977c3..6d31cd922f8 100644 --- a/docs/src/main/paradox/security.md +++ b/docs/src/main/paradox/security.md @@ -19,7 +19,7 @@ to ensure that a fix can be provided without delay. ### Fixed in Akka HTTP 10.0.6 & 2.4.11.2 -* @ref:[Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service](2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md) +* @ref:[Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service](security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md) ### Fixed in Akka HTTP 10.0.2 & 2.4.11.1 diff --git a/docs/src/main/paradox/security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md b/docs/src/main/paradox/security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md index 974a14efe79..6c0c935f13f 100644 --- a/docs/src/main/paradox/security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md +++ b/docs/src/main/paradox/security/2017-05-03-illegal-media-range-in-accept-header-causes-stackoverflowerror.md @@ -13,7 +13,7 @@ Please subscribe to the [akka-security](https://groups.google.com/forum/#!forum/ ## Severity -The CVSS score of this vulnerability is 7.8 (High), based on vector [AV:N/AC:L/Au:N/C:N/I:N/A:C](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)). +The CVSS score of this vulnerability is 7.8 (High), based on vector [(AV:N/AC:L/Au:N/C:N/I:N/A:C)](https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV:N/AC:L/Au:N/C:N/I:N/A:C%29). ## Impact @@ -27,11 +27,11 @@ Applications written using only the low-level API from akka-http-core but not th - akka-http prior to `10.0.6` and `2.4.11.2` -Notable **not affected**: +Notably **not affected**: - Play Framework (regardless of used server backend) - Lagom Framework -- Users of the low-level akka-http-core APIs +- Low-level akka-http-core APIs ## Fixed versions