From f0089861b5cf385920e681218d4a09830435a40e Mon Sep 17 00:00:00 2001 From: Andrew Clayton Date: Tue, 25 Feb 2025 17:41:34 +0000 Subject: [PATCH 1/3] Add 1.34.2 release page Signed-off-by: Andrew Clayton --- source/news/2025/index.rst | 10 ++++++ source/news/2025/unit-1.34.2-released.rst | 37 +++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 source/news/2025/unit-1.34.2-released.rst diff --git a/source/news/2025/index.rst b/source/news/2025/index.rst index 690b584d..7c49c49c 100644 --- a/source/news/2025/index.rst +++ b/source/news/2025/index.rst @@ -2,8 +2,18 @@ News of 2025 ############ + News archive for the year 2025. +.. nxt_news_entry:: + :author: Unit Team + :description: Version 1.34.2 is a maintenance release that fixes a couple + of Java WebSocket issues. + :email: unit-owner@nginx.org + :title: Unit 1.34.2 Released + :url: news/2025/unit-1.34.2-released + :date: 2025-02-26 + .. nxt_news_entry:: :author: Unit Team :description: Version 1.34.1 is a maintenance release that fixes issues diff --git a/source/news/2025/unit-1.34.2-released.rst b/source/news/2025/unit-1.34.2-released.rst new file mode 100644 index 00000000..61cb1483 --- /dev/null +++ b/source/news/2025/unit-1.34.2-released.rst @@ -0,0 +1,37 @@ +:orphan: + +#################### +Unit 1.34.2 Released +#################### + +We are pleased to announce the release of NGINX Unit 1.34.2. This is a +maintenance release that fixes a couple of issues in the Java WebSocket +code within the Java language module. + +- Security: When the NGINX Unit Java Language module is in use, undisclosed + requests can lead to an infinite loop and cause an increase in CPU resource + utilization (CVE-2025-1695). + + `F5 SIRT `__. + +- It addresses an issue whereby decoded payload lengths would be limited + to 32 bits. + +Both these issues affect Unit versions from 1.11.0 to 1.34.1. If you use +the Java language module with WebSockets it is strongly suggested to +upgrade. + +************** +Full Changelog +************** + +.. code-block:: none + +Changes with Unit 1.34.2 26 Feb 2025 + + *) Security: fix missing websocket payload length validation in the Java + language module which could lead to Java language module processes + consuming excess CPU. (CVE-2025-1695). + + *) Bugfix: fix incorrect websocket payload length calculation in the + Java language module. From bf276dc031e6b160f1ef9a11484cec9aeea38fbc Mon Sep 17 00:00:00 2001 From: Andrew Clayton Date: Thu, 27 Feb 2025 21:50:44 +0000 Subject: [PATCH 2/3] Update CHANGES.txt for 1.34.2 Signed-off-by: Andrew Clayton --- source/CHANGES.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/source/CHANGES.txt b/source/CHANGES.txt index ea244733..6549597a 100644 --- a/source/CHANGES.txt +++ b/source/CHANGES.txt @@ -1,3 +1,13 @@ +Changes with Unit 1.34.2 26 Feb 2025 + + *) Security: fix missing websocket payload length validation in the Java + language module which could lead to Java language module processes + consuming excess CPU. (CVE-2025-1695). + + *) Bugfix: fix incorrect websocket payload length calculation in the + Java language module. + + Changes with Unit 1.34.1 10 Jan 2025 *) Bugfix: fix instability issues due to OpenTelemetry (OTEL) support. From 2b977b5d09b2ca63ff4c81c740f742dcca0a3d43 Mon Sep 17 00:00:00 2001 From: Andrew Clayton Date: Thu, 27 Feb 2025 21:52:28 +0000 Subject: [PATCH 3/3] conf.py: Update for 1.34.2 Signed-off-by: Andrew Clayton --- source/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/conf.py b/source/conf.py index 3d51e99e..fd98aafd 100644 --- a/source/conf.py +++ b/source/conf.py @@ -5,8 +5,8 @@ project = 'NGINX Unit' author = 'NGINX, Inc.' copyright = '2017-2025' -version = '1.34.1' -release_date = 'Jan 10, 2025' +version = '1.34.2' +release_date = 'Feb 26, 2025' release = version needs_sphinx = '6.2'