Add 1.34.2 release page

ac000 · ac000 · commit 9f8da7c89f3d · 2025-03-03T18:05:29.000Z
Signed-off-by: Andrew Clayton &lt;a.clayton@nginx.com&gt;
diff --git a/source/news/2025/index.rst b/source/news/2025/index.rst
@@ -2,8 +2,18 @@
 News of 2025
 ############
 
+
 News archive for the year 2025.
 
+.. nxt_news_entry::
+   :author: Unit Team
+   :description: Version 1.34.2 is a maintenance release that fixes a couple
+                 of Java WebSocket issues.
+   :email: unit-owner@nginx.org
+   :title: Unit 1.34.2 Released
+   :url: news/2025/unit-1.34.2-released
+   :date: 2025-02-26
+
 .. nxt_news_entry::
    :author: Unit Team
    :description: Version 1.34.1 is a maintenance release that fixes issues
diff --git a/source/news/2025/unit-1.34.2-released.rst b/source/news/2025/unit-1.34.2-released.rst
@@ -0,0 +1,41 @@
+:orphan:
+
+####################
+Unit 1.34.2 Released
+####################
+
+We are pleased to announce the release of NGINX Unit 1.34.2. This is a
+maintenance release that fixes a couple of issues in the Java WebSocket
+code within the Java language module.
+
+- Security: When the NGINX Unit Java Language module is in use, undisclosed
+  requests can lead to an infinite loop and cause an increase in CPU resource
+  utilization (CVE-2025-1695).
+
+- It addresses a potential security issue where we could get a negative
+  payload length that could cause the Java language module process(es)
+  to enter an infinite loop and consume excess CPU. (CVE-2025-1695)
+
+  `F5 SIRT <https://my.f5.com/manage/s/article/K000149959>`__.
+
+- It addresses an issue whereby decoded payload lengths would be limited
+  to 32 bits.
+
+Both these issues affect Unit versions from 1.11.0 to 1.34.1. If you use
+the Java language module with WebSockets it is strongly suggested to
+upgrade.
+
+**************
+Full Changelog
+**************
+
+.. code-block:: none
+
+Changes with Unit 1.34.2                                         26 Feb 2025
+
+    *) Security: fix missing websocket payload length validation in the Java
+       language module which could lead to Java language module processes
+       consuming excess CPU. (CVE-2025-1695).
+
+    *) Bugfix: fix incorrect websocket payload length calculation in the
+       Java language module.
