From df3dbfbb8344844fdf4f9a2b3d8aebe3793bfc56 Mon Sep 17 00:00:00 2001 From: Johannes Rudolph Date: Tue, 2 Nov 2021 12:41:44 +0100 Subject: [PATCH] docs: 10.2.7 release notes (#3925) --- docs/src/main/paradox/release-notes/10.2.x.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docs/src/main/paradox/release-notes/10.2.x.md b/docs/src/main/paradox/release-notes/10.2.x.md index de6fea17395..fd8b8cbba9a 100644 --- a/docs/src/main/paradox/release-notes/10.2.x.md +++ b/docs/src/main/paradox/release-notes/10.2.x.md @@ -1,5 +1,39 @@ # 10.2.x Release Notes +## 10.2.7 + +This release is an important security fix release. + +Most importantly, we fixed a problem with parsing headers containing `comment` elements ([#3918](https://github.com/akka/akka-http/issues/3918)). The HTTP spec allows arbitrary +nesting of those elements, e.g. in the `User-Agent` header. When such a header is parsed, an Akka HTTP application may +fail fatally with a `StackOverflowError`. Akka HTTP 10.2.7 mitigates this issue by conservatively limiting the allowed +depth of `comment` elements in headers. See @ref[the advisory for CVE-2021-42697](../security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.md) for more information about this security issue. + +Another issue has been fixed in relation to header rendering ([#3717](https://github.com/akka/akka-http/issues/3717)). +Akka HTTP does not validate that header values (or keys) +are well-formed when those are provided as Strings (e.g. in a `RawHeader`). In particular, HTTP headers are not allowed +to contain the special characters `'\r'` or `'\n'` which are used to delineate headers in an HTTP message. Before 10.2.7, +Akka HTTP would naively render those broken header values leading to broken HTTP messages. The generation of headers is +usually in complete control of the application. However, an application may accidentally pass incoming unvalidated user +data to response headers. In such a case, a remote user might be able to inject line terminators into the response headers +leading to invalid or misleading HTTP response messages. Depending on the server setup, this can be a building block for +severe attacks. + +To mitigate this issue, Akka HTTP now discards outgoing headers containing line terminators and logs a warning. Users +are encouraged to be on the watch when creating headers (or any kind of outgoing data) from unvalidated user input as this +is a common vector for different kinds of attacks. + + +### Changes since 10.2.6 + +#### akka-http-core + +* core: limit comment nesting in header parser[#3924](https://github.com/akka/akka-http/pull/3924) +* core: discard outgoing headers containing line breaks [#3922](https://github.com/akka/akka-http/pull/3922) +* core: avoid calling numConnectedSlots when possible [#3904](https://github.com/akka/akka-http/pull/3904) +* core: simplify HeaderCompression [#3871](https://github.com/akka/akka-http/pull/3871) +* core: end HTTP/2 stream with empty DATA rather than empty HEADERS [#3913](https://github.com/akka/akka-http/pull/3913) + ## 10.2.6 This release is a bug fix release that fixes a bug in HTTP/2 processing, [#3890](https://github.com/akka/akka-http/issues/3890).