nginx · ac000 · Mar 3, 2025 · Feb 25, 2025 · Feb 27, 2025 · Feb 27, 2025
diff --git a/source/CHANGES.txt b/source/CHANGES.txt
@@ -1,3 +1,13 @@
+Changes with Unit 1.34.2                                         26 Feb 2025
+
+    *) Security: fix missing websocket payload length validation in the Java
+       language module which could lead to Java language module processes
+       consuming excess CPU. (CVE-2025-1695).
+
+    *) Bugfix: fix incorrect websocket payload length calculation in the
+       Java language module.
+
+
 Changes with Unit 1.34.1                                         10 Jan 2025
 
     *) Bugfix: fix instability issues due to OpenTelemetry (OTEL) support.

diff --git a/source/conf.py b/source/conf.py
@@ -5,8 +5,8 @@
 project = 'NGINX Unit'
 author = 'NGINX, Inc.'
 copyright = '2017-2025'
-version = '1.34.1'
-release_date = 'Jan 10, 2025'
+version = '1.34.2'
+release_date = 'Feb 26, 2025'
 release = version
 needs_sphinx = '6.2'
 

diff --git a/source/news/2025/index.rst b/source/news/2025/index.rst
@@ -2,8 +2,18 @@
 News of 2025
 ############
 
+
 News archive for the year 2025.
 
+.. nxt_news_entry::
+   :author: Unit Team
+   :description: Version 1.34.2 is a maintenance release that fixes a couple
+                 of Java WebSocket issues.
+   :email: [email protected]
+   :title: Unit 1.34.2 Released
+   :url: news/2025/unit-1.34.2-released
+   :date: 2025-02-26
+
 .. nxt_news_entry::
    :author: Unit Team
    :description: Version 1.34.1 is a maintenance release that fixes issues

diff --git a/source/news/2025/unit-1.34.2-released.rst b/source/news/2025/unit-1.34.2-released.rst
@@ -0,0 +1,37 @@
+:orphan:
+
+####################
+Unit 1.34.2 Released
+####################
+
+We are pleased to announce the release of NGINX Unit 1.34.2. This is a
+maintenance release that fixes a couple of issues in the Java WebSocket
+code within the Java language module.
+
+- Security: When the NGINX Unit Java Language module is in use, undisclosed
+  requests can lead to an infinite loop and cause an increase in CPU resource
+  utilization (CVE-2025-1695).
+
+  `F5 SIRT <https://my.f5.com/manage/s/article/K000149959>`__.
+
+- It addresses an issue whereby decoded payload lengths would be limited
+  to 32 bits.
+
+Both these issues affect Unit versions from 1.11.0 to 1.34.1. If you use
+the Java language module with WebSockets it is strongly suggested to
+upgrade.
+
+**************
+Full Changelog
+**************
+
+.. code-block:: none
+
+Changes with Unit 1.34.2                                         26 Feb 2025
+
+    *) Security: fix missing websocket payload length validation in the Java
+       language module which could lead to Java language module processes
+       consuming excess CPU. (CVE-2025-1695).
+
+    *) Bugfix: fix incorrect websocket payload length calculation in the
+       Java language module.