docs: 10.2.7 release notes (#3925)

akka · Nov 2, 2021 · df3dbfb · df3dbfb
1 parent afecb31
commit df3dbfb
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/docs/src/main/paradox/release-notes/10.2.x.md b/docs/src/main/paradox/release-notes/10.2.x.md
@@ -1,5 +1,39 @@
 # 10.2.x Release Notes
 
+## 10.2.7
+
+This release is an important security fix release.
+
+Most importantly, we fixed a problem with parsing headers containing `comment` elements ([#3918](https://github.com/akka/akka-http/issues/3918)). The HTTP spec allows arbitrary
+nesting of those elements, e.g. in the `User-Agent` header. When such a header is parsed, an Akka HTTP application may
+fail fatally with a `StackOverflowError`. Akka HTTP 10.2.7 mitigates this issue by conservatively limiting the allowed
+depth of `comment` elements in headers. See @ref[the advisory for CVE-2021-42697](../security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.md) for more information about this security issue.
+
+Another issue has been fixed in relation to header rendering ([#3717](https://github.com/akka/akka-http/issues/3717)).
+Akka HTTP does not validate that header values (or keys)
+are well-formed when those are provided as Strings (e.g. in a `RawHeader`). In particular, HTTP headers are not allowed
+to contain the special characters `'\r'` or `'\n'` which are used to delineate headers in an HTTP message. Before 10.2.7,
+Akka HTTP would naively render those broken header values leading to broken HTTP messages. The generation of headers is
+usually in complete control of the application. However, an application may accidentally pass incoming unvalidated user
+data to response headers. In such a case, a remote user might be able to inject line terminators into the response headers
+leading to invalid or misleading HTTP response messages. Depending on the server setup, this can be a building block for
+severe attacks.
+
+To mitigate this issue, Akka HTTP now discards outgoing headers containing line terminators and logs a warning. Users
+are encouraged to be on the watch when creating headers (or any kind of outgoing data) from unvalidated user input as this
+is a common vector for different kinds of attacks.
+
+
+### Changes since 10.2.6
+
+#### akka-http-core
+
+* core: limit comment nesting in header parser[#3924](https://github.com/akka/akka-http/pull/3924)
+* core: discard outgoing headers containing line breaks [#3922](https://github.com/akka/akka-http/pull/3922)
+* core: avoid calling numConnectedSlots when possible [#3904](https://github.com/akka/akka-http/pull/3904)
+* core: simplify HeaderCompression [#3871](https://github.com/akka/akka-http/pull/3871)
+* core: end HTTP/2 stream with empty DATA rather than empty HEADERS [#3913](https://github.com/akka/akka-http/pull/3913)
+
 ## 10.2.6
 
 This release is a bug fix release that fixes a bug in HTTP/2 processing, [#3890](https://github.com/akka/akka-http/issues/3890).