Fix high-order bit aliasing in HttpUtil.validateToken by furkanvarol · Pull Request #16279 · netty/netty

furkanvarol · 2026-02-15T06:30:33Z

Motivation:

The goal of this PR is to fix a character validation bypass in HttpUtil.validateToken.

Prior to this change, the validateCharSequenceToken method was susceptible to "high-order bit aliasing." Because the logic performed a direct cast from a 16-bit char to an 8-bit byte, any Unicode character whose lower 8 bits matched a valid RFC 7230 tchar would be incorrectly validated.

For example, the character 'Š' (U+0161) has the bit pattern 00000001 01100001. A narrow cast to byte strips the high-order bits, leaving 01100001, which is the ASCII value for 'a'. Since 'a' is a valid token character, the validator would return -1 (valid), violating the strictness required by RFC 7230.

Modification:

Modified validateCharSequenceToken(CharSequence token) to store the character in an int variable to prevent multiple charAt lookups and maintain consistency with Netty's internal coding style.
Introduced an explicit range check (value > 0xFF) to catch high-order characters before they are cast to byte.
Updated HttpUtilTest with a new parameterized test testInvalidTokenCharsHighOrderBitAliasing that specifically tests Unicode characters known to alias into the valid tchar range (U+0161, U+0121, U+0231, U+0361).

Result:

This change ensures that HttpUtil correctly rejects non-ASCII and multi-byte characters that were previously able to bypass the token validation logic.

Motivation: Prior to this change, validateCharSequenceToken incorrectly validated 16-bit Unicode characters whose lower 8 bits coincided with valid RFC 7230 tchar values (e.g., U+0161 truncating to 'a'). This occurred because the char was directly cast to a byte, stripping the higher-order bits and causing "aliasing" into the valid ASCII range. For example, 'Š' (U+0161) has a bit pattern of 00000001 01100001; a narrow cast to byte leaves 01100001 ('a'), bypassing validation. Modification: - Modified validateCharSequenceToken to store the char as an int and added a check to ensure characters are within the 0-255 range before byte-casting. - Added regression tests in HttpUtilTest (testInvalidTokenCharsHighOrderBitAliasing) for specific aliasing candidates (U+0161, U+0121, etc.) that previously bypassed validation. Result: Non-ASCII characters can no longer bypass token validation via bit truncation.

furkanvarol · 2026-02-16T02:24:17Z

Looks like build failures are due to;

2026-02-15T08:04:23.2471071Z [ERROR] Errors: 
2026-02-15T08:04:23.2472339Z [ERROR]   IoUringSocketHalfClosedTest.testAllDataReadClosure(TestInfo) ? Timeout testAllDataReadClosure(org.junit.jupiter.api.TestInfo) timed out after 20000 milliseconds
2026-02-15T08:04:23.2473856Z [INFO] 
2026-02-15T08:04:23.2474294Z [ERROR] Tests run: 915, Failures: 0, Errors: 1, Skipped: 15
2026-02-15T08:04:23.2474818Z [INFO] 
2026-02-15T08:04:23.2484629Z [INFO] ------------------------------------------------------------------------
2026-02-15T08:04:23.2485277Z [INFO] Reactor Summary for Netty 4.2.11.Final-SNAPSHOT:
2026-02-15T08:04:23.2485565Z [INFO] 
2026-02-15T08:04:23.2489593Z [INFO] Netty .............................................. SUCCESS [  3.814 s]
2026-02-15T08:04:23.2490402Z [INFO] Netty/JFR Stub ..................................... SUCCESS [  1.894 s]
2026-02-15T08:04:23.2494465Z [INFO] Netty/VarHandle Stub ............................... SUCCESS [  0.791 s]
2026-02-15T08:04:23.2497464Z [INFO] Netty/Dev-Tools .................................... SUCCESS [  0.328 s]
2026-02-15T08:04:23.2501211Z [INFO] Netty/Common ....................................... SUCCESS [01:21 min]
2026-02-15T08:04:23.2502434Z [INFO] Netty/Testsuite/Common ............................. SUCCESS [  1.256 s]
2026-02-15T08:04:23.2503338Z [INFO] Netty/Buffer ....................................... SUCCESS [02:37 min]
2026-02-15T08:04:23.2504174Z [INFO] Netty/Resolver ..................................... SUCCESS [  3.446 s]
2026-02-15T08:04:23.2504997Z [INFO] Netty/Transport .................................... SUCCESS [01:22 min]
2026-02-15T08:04:23.2505867Z [INFO] Netty/Codec/Base ................................... SUCCESS [  6.762 s]
2026-02-15T08:04:23.2506749Z [INFO] Netty/Codec/Compression ............................ SUCCESS [02:13 min]
2026-02-15T08:04:23.2507637Z [INFO] Netty/Codec/Protobuf ............................... SUCCESS [  2.956 s]
2026-02-15T08:04:23.2508511Z [INFO] Netty/Codec/Marshalling ............................ SUCCESS [  3.242 s]
2026-02-15T08:04:23.2509525Z [INFO] Netty/Codec ........................................ SUCCESS [  0.209 s]
2026-02-15T08:04:23.2510477Z [INFO] Netty/Codec/DNS .................................... SUCCESS [  4.526 s]
2026-02-15T08:04:23.2517202Z [INFO] Netty/Codec/HAProxy ................................ SUCCESS [  6.237 s]
2026-02-15T08:04:23.2525052Z [INFO] Netty/Transport/Native/Unix/Common ................. SUCCESS [  4.644 s]
2026-02-15T08:04:23.2525906Z [INFO] Netty/PKITesting ................................... SUCCESS [ 23.074 s]
2026-02-15T08:04:23.2526662Z [INFO] Netty/Handler ...................................... SUCCESS [09:58 min]
2026-02-15T08:04:23.2527333Z [INFO] Netty/Codec/HTTP ................................... SUCCESS [01:06 min]
2026-02-15T08:04:23.2527997Z [INFO] Netty/Codec/HTTP2 .................................. SUCCESS [ 18.339 s]
2026-02-15T08:04:23.2528791Z [INFO] Netty/Transport/Classes/Epoll ...................... SUCCESS [  3.465 s]
2026-02-15T08:04:23.2529577Z [INFO] Netty/Codec/Classes/Quic ........................... SUCCESS [  2.594 s]
2026-02-15T08:04:23.2530420Z [INFO] Netty/Transport/SCTP ............................... SUCCESS [  4.649 s]
2026-02-15T08:04:23.2531509Z [INFO] Netty/Transport/UDT ................................ SUCCESS [  6.422 s]
2026-02-15T08:04:23.2532355Z [INFO] Netty/Testsuite .................................... SUCCESS [02:34 min]
2026-02-15T08:04:23.2533224Z [INFO] Netty/Transport/Native/Unix/Common/Tests ........... SUCCESS [  1.166 s]
2026-02-15T08:04:23.2534133Z [INFO] Netty/Transport/Native/Epoll ....................... SUCCESS [12:51 min]
2026-02-15T08:04:23.2535015Z [INFO] Netty/Codec/Native/Quic ............................ SUCCESS [02:57 min]
2026-02-15T08:04:23.2538116Z [INFO] Netty/Codec/Http3 .................................. SUCCESS [  9.852 s]
2026-02-15T08:04:23.2541197Z [INFO] Netty/Codec/Memcache ............................... SUCCESS [  3.632 s]
2026-02-15T08:04:23.2542003Z [INFO] Netty/Codec/MQTT ................................... SUCCESS [  5.048 s]
2026-02-15T08:04:23.2542750Z [INFO] Netty/Codec/Redis .................................. SUCCESS [  3.410 s]
2026-02-15T08:04:23.2543502Z [INFO] Netty/Codec/SMTP ................................... SUCCESS [  3.194 s]
2026-02-15T08:04:23.2544278Z [INFO] Netty/Codec/Socks .................................. SUCCESS [  4.398 s]
2026-02-15T08:04:23.2545029Z [INFO] Netty/Codec/Stomp .................................. SUCCESS [  3.568 s]
2026-02-15T08:04:23.2545762Z [INFO] Netty/Codec/XML .................................... SUCCESS [  3.112 s]
2026-02-15T08:04:23.2546670Z [INFO] Netty/Handler/Proxy ................................ SUCCESS [ 14.241 s]
2026-02-15T08:04:23.2547484Z [INFO] Netty/Resolver/DNS ................................. SUCCESS [01:54 min]
2026-02-15T08:04:23.2547950Z [INFO] Netty/Handler/Ssl/Ocsp ............................. SUCCESS [ 16.159 s]
2026-02-15T08:04:23.2548394Z [INFO] Netty/Transport/RXTX ............................... SUCCESS [  1.077 s]
2026-02-15T08:04:23.2548931Z [INFO] Netty/Transport/Classes/KQueue ..................... SUCCESS [  3.223 s]
2026-02-15T08:04:23.2550164Z [INFO] Netty/Resolver/DNS/Classes/MacOS ................... SUCCESS [  0.938 s]
2026-02-15T08:04:23.2551177Z [INFO] Netty/Transport/Classes/io_uring ................... SUCCESS [  5.163 s]
2026-02-15T08:04:23.2552014Z [INFO] Netty/All-in-One ................................... SUCCESS [  0.417 s]
2026-02-15T08:04:23.2552782Z [INFO] Netty/Resolver/DNS/Native/MacOS .................... SUCCESS [  1.449 s]
2026-02-15T08:04:23.2553614Z [INFO] Netty/Transport/Native/io_uring .................... FAILURE [18:36 min]

The changes I introduced built successfully (Netty/Codec/HTTP). Let me know if there is anything further I can do to verify my changes.

normanmaurer · 2026-02-18T16:32:41Z

@chrisvest @yawkat PTAL

furkanvarol · 2026-02-18T16:41:25Z

Thanks for looking at this! If approved, I plan to backport this to 4.1 as well

franz1981

Lgtm, thanks;

franz1981 · 2026-02-18T16:42:40Z

Just add the label? @chrisvest

normanmaurer · 2026-02-18T16:45:37Z

Just added the labels and so it will be done automatically

Motivation: The goal of this PR is to fix a character validation bypass in HttpUtil.validateToken. Prior to this change, the validateCharSequenceToken method was susceptible to "high-order bit aliasing." Because the logic performed a direct cast from a 16-bit char to an 8-bit byte, any Unicode character whose lower 8 bits matched a valid RFC 7230 tchar would be incorrectly validated. For example, the character 'Š' (U+0161) has the bit pattern 00000001 01100001. A narrow cast to byte strips the high-order bits, leaving 01100001, which is the ASCII value for 'a'. Since 'a' is a valid token character, the validator would return -1 (valid), violating the strictness required by RFC 7230. Modification: * Modified validateCharSequenceToken(CharSequence token) to store the character in an int variable to prevent multiple charAt lookups and maintain consistency with Netty's internal coding style. * Introduced an explicit range check (value > 0xFF) to catch high-order characters before they are cast to byte. * Updated HttpUtilTest with a new parameterized test testInvalidTokenCharsHighOrderBitAliasing that specifically tests Unicode characters known to alias into the valid tchar range (U+0161, U+0121, U+0231, U+0361). Result: This change ensures that HttpUtil correctly rejects non-ASCII and multi-byte characters that were previously able to bypass the token validation logic. Co-authored-by: Norman Maurer <norman_maurer@apple.com> (cherry picked from commit 95cc055)

netty-project-bot · 2026-02-19T00:03:57Z

Backport PR for 4.1: #16303

netty-project-bot · 2026-02-19T00:03:58Z

Forward port PR for 5.0: #16304

…en (#16304) Forward port of #16279 to 5.0 Cherry-picked commit: 95cc055 --- Motivation: The goal of this PR is to fix a character validation bypass in HttpUtil.validateToken. Prior to this change, the validateCharSequenceToken method was susceptible to "high-order bit aliasing." Because the logic performed a direct cast from a 16-bit char to an 8-bit byte, any Unicode character whose lower 8 bits matched a valid RFC 7230 tchar would be incorrectly validated. For example, the character 'Š' (U+0161) has the bit pattern 00000001 01100001. A narrow cast to byte strips the high-order bits, leaving 01100001, which is the ASCII value for 'a'. Since 'a' is a valid token character, the validator would return -1 (valid), violating the strictness required by RFC 7230. Modification: * Modified validateCharSequenceToken(CharSequence token) to store the character in an int variable to prevent multiple charAt lookups and maintain consistency with Netty's internal coding style. * Introduced an explicit range check (value > 0xFF) to catch high-order characters before they are cast to byte. * Updated HttpUtilTest with a new parameterized test testInvalidTokenCharsHighOrderBitAliasing that specifically tests Unicode characters known to alias into the valid tchar range (U+0161, U+0121, U+0231, U+0361). Result: This change ensures that HttpUtil correctly rejects non-ASCII and multi-byte characters that were previously able to bypass the token validation logic. Co-authored-by: Furkan Varol <furkanvarol@users.noreply.github.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com>

…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.10.Final to 4.2.12.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=io.netty:netty-all&package-manager=maven&previous-version=4.2.10.Final&new-version=4.2.12.Final)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

…ip ci] Bumps `netty.version` from 4.2.10.Final to 4.2.12.Final. Updates `io.netty:netty-transport` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Updates `io.netty:netty-codec` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Updates `io.netty:netty-handler` from 4.2.10.Final to 4.2.12.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.12.Final > ------------------ > > What's Changed > -------------- > > * Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16550](https://redirect.github.com/netty/netty/pull/16550) > > **Full Changelog**: <netty/netty@netty-4.2.11.Final...netty-4.2.12.Final> > > netty-4.2.11.Final > ------------------ > > Security > -------- > > * CVE-2026-33871, [HTTP/2 CONTINUATION Frame Flood Denial of Service](GHSA-w9fj-cfpg-grvv) > * CVE-2026-33870, [HTTP Request Smuggling via Chunked Extension Quoted-String Parsing](GHSA-pwqr-wmgm-9rr8) > > What's Changed > -------------- > > * Update to latest JDK 26 EA release by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16230](https://redirect.github.com/netty/netty/pull/16230) > * HTTP3: Allow to support non-standard HTTP3 settings by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16171](https://redirect.github.com/netty/netty/pull/16171) > * Fix Incorrect nanos-to-millis conversion in epoll\_wait EINTR retry loop by [`@adwsingh`](https://github.com/adwsingh) in [netty/netty#16245](https://redirect.github.com/netty/netty/pull/16245) > * Allocate one large segment and slice for each MsgHdrMemory by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16234](https://redirect.github.com/netty/netty/pull/16234) > * Make RefCntOpenSslContext.deallocate more robust by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16253](https://redirect.github.com/netty/netty/pull/16253) > * Epoll: Fix excessive CPU usage when Channel is only registered but no… by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16250](https://redirect.github.com/netty/netty/pull/16250) > * Update to gcc for arm 10.3-2021.07 by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16255](https://redirect.github.com/netty/netty/pull/16255) > * Add acmeIdentifier extension support to pkitesting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16256](https://redirect.github.com/netty/netty/pull/16256) > * Update JDK versions to latest patch releases by [`@m1ngyuan`](https://github.com/m1ngyuan) in [netty/netty#16254](https://redirect.github.com/netty/netty/pull/16254) > * Avoid allocation in HttpObjectEncoder.addEncodedLengthHex method by [`@doom369`](https://github.com/doom369) in [netty/netty#16241](https://redirect.github.com/netty/netty/pull/16241) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16269](https://redirect.github.com/netty/netty/pull/16269) > * Revert "Automatic backporting workflow from 4.1 to 4.2" by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16270](https://redirect.github.com/netty/netty/pull/16270) > * HTTP2: Correctly account for padding when decompress by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16264](https://redirect.github.com/netty/netty/pull/16264) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16271](https://redirect.github.com/netty/netty/pull/16271) > * Automatic backporting workflow from 4.1 to 4.2 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16273](https://redirect.github.com/netty/netty/pull/16273) > * Backport PRs must be created with personal access tokens by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16276](https://redirect.github.com/netty/netty/pull/16276) > * Expose QuicSslContextBuilder::sni by [`@ZeroErrors`](https://github.com/ZeroErrors) in [netty/netty#16178](https://redirect.github.com/netty/netty/pull/16178) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16275](https://redirect.github.com/netty/netty/pull/16275) > * Add more porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16283](https://redirect.github.com/netty/netty/pull/16283) > * Remove the unpooled allocator from test permutations by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16282](https://redirect.github.com/netty/netty/pull/16282) > * Some polishing of the porting workflows by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16288](https://redirect.github.com/netty/netty/pull/16288) > * Allow to set destination connection id when creating a client side QuicheChannel by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16286](https://redirect.github.com/netty/netty/pull/16286) > * Update to latest JDK26 EA build by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16295](https://redirect.github.com/netty/netty/pull/16295) > * Add javadoc to clarify responsibility of the user when generating the remote connection id by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16293](https://redirect.github.com/netty/netty/pull/16293) > * Make the build run faster by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16290](https://redirect.github.com/netty/netty/pull/16290) > * Fix IDE warnings in SslHandler by [`@doom369`](https://github.com/doom369) in [netty/netty#16237](https://redirect.github.com/netty/netty/pull/16237) > * Decrease Long allocations and map.put calls in ReferenceCountedOpenSllEngine in handshake() method by [`@doom369`](https://github.com/doom369) in [netty/netty#16242](https://redirect.github.com/netty/netty/pull/16242) > * Support boringssl SSLCredential API by [`@jmcrawford45`](https://github.com/jmcrawford45) in [netty/netty#15919](https://redirect.github.com/netty/netty/pull/15919) > * Fix high-order bit aliasing in HttpUtil.validateToken by [`@furkanvarol`](https://github.com/furkanvarol) in [netty/netty#16279](https://redirect.github.com/netty/netty/pull/16279) > * Improve multi-byte access performance when UNALIGNED availability is unknown by [`@Songdoeon`](https://github.com/Songdoeon) in [netty/netty#16207](https://redirect.github.com/netty/netty/pull/16207) > * Avoid unnecessary SSL.getVersion() call and string allocation in ReferenceCountedOpenSslEngine by [`@doom369`](https://github.com/doom369) in [netty/netty#16278](https://redirect.github.com/netty/netty/pull/16278) > * Support more branch freedom for auto-porting by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16300](https://redirect.github.com/netty/netty/pull/16300) > * fix: the precedence of + is higher than >> by [`@cuiweixie`](https://github.com/cuiweixie) in [netty/netty#16312](https://redirect.github.com/netty/netty/pull/16312) > * AdaptiveByteBufAllocator: make sure byteBuf.capacity() not greater than byteBuf.maxCapacity() by [`@laosijikaichele`](https://github.com/laosijikaichele) in [netty/netty#16309](https://redirect.github.com/netty/netty/pull/16309) > * Fix flaky PooledByteBufAllocatorTest by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16313](https://redirect.github.com/netty/netty/pull/16313) > * Fix pooled arena accounting tests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16321](https://redirect.github.com/netty/netty/pull/16321) ... (truncated) Commits * [`67ce541`](netty/netty@67ce541) [maven-release-plugin] prepare release netty-4.2.12.Final * [`7074624`](netty/netty@7074624) Revert "Eliminate redundant bounds checks in CompositeByteBuf accessors" ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`c3b0a43`](netty/netty@c3b0a43) [maven-release-plugin] prepare for next development iteration * [`c94a818`](netty/netty@c94a818) [maven-release-plugin] prepare release netty-4.2.11.Final * [`3b76df1`](netty/netty@3b76df1) Merge commit from fork * [`aae944a`](netty/netty@aae944a) Auto-port 4.2: Limit the number of Continuation frames per HTTP2 Headers ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`6001499`](netty/netty@6001499) Eliminate redundant bounds checks in CompositeByteBuf accessors ([#16525](https://redirect.github.com/netty/netty/issues/16525)) * [`a7fbb6f`](netty/netty@a7fbb6f) JdkZlibDecoder: accumulate decompressed output before firing channelRead ([#16](https://redirect.github.com/netty/netty/issues/16)... * [`7937553`](netty/netty@7937553) Enforce io.netty.maxDirectMemory accounting on all Java versions ([#16489](https://redirect.github.com/netty/netty/issues/16489)) * [`893ea2e`](netty/netty@893ea2e) Allocate less in QueryStringDecoder.addParam for typical use case ([#16527](https://redirect.github.com/netty/netty/issues/16527)) * Additional commits viewable in [compare view](netty/netty@netty-4.2.10.Final...netty-4.2.12.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

furkanvarol force-pushed the 4.2 branch from 021d2f6 to 820bfe2 Compare February 15, 2026 06:39

normanmaurer requested review from chrisvest, franz1981 and yawkat February 18, 2026 16:32

Merge branch '4.2' into 4.2

a9617c7

yawkat approved these changes Feb 18, 2026

View reviewed changes

franz1981 approved these changes Feb 18, 2026

View reviewed changes

normanmaurer added needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. labels Feb 18, 2026

chrisvest approved these changes Feb 18, 2026

View reviewed changes

chrisvest enabled auto-merge (squash) February 18, 2026 19:17

chrisvest merged commit 95cc055 into netty:4.2 Feb 19, 2026
50 of 55 checks passed

github-actions bot removed needs-cherry-pick-4.1 This PR should be cherry-picked to 4.1 once merged. needs-cherry-pick-5.0 This PR should be cherry-picked to 5.0 once merged. labels Feb 19, 2026

This was referenced Feb 19, 2026

Backport 4.1: Fix high-order bit aliasing in HttpUtil.validateToken #16303

Merged

Forward port 5.0: Fix high-order bit aliasing in HttpUtil.validateToken #16304

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix high-order bit aliasing in HttpUtil.validateToken#16279

Fix high-order bit aliasing in HttpUtil.validateToken#16279
chrisvest merged 2 commits intonetty:4.2from
furkanvarol:4.2

furkanvarol commented Feb 15, 2026

Uh oh!

furkanvarol commented Feb 16, 2026

Uh oh!

normanmaurer commented Feb 18, 2026

Uh oh!

furkanvarol commented Feb 18, 2026

Uh oh!

franz1981 left a comment

Uh oh!

franz1981 commented Feb 18, 2026

Uh oh!

normanmaurer commented Feb 18, 2026

Uh oh!

Uh oh!

netty-project-bot commented Feb 19, 2026

Uh oh!

netty-project-bot commented Feb 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Uh oh!

Conversation

furkanvarol commented Feb 15, 2026

Uh oh!

furkanvarol commented Feb 16, 2026

Uh oh!

normanmaurer commented Feb 18, 2026

Uh oh!

furkanvarol commented Feb 18, 2026

Uh oh!

franz1981 left a comment

Choose a reason for hiding this comment

Uh oh!

franz1981 commented Feb 18, 2026

Uh oh!

normanmaurer commented Feb 18, 2026

Uh oh!

Uh oh!

netty-project-bot commented Feb 19, 2026

Uh oh!

netty-project-bot commented Feb 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants