v0.21.29
This release includes security patches for blaze-client, blaze-server, ember-client, ember-server, and jetty-client. It is binary compatible with the 0.21.x series.
Various modules
- GHSA-5vcm-3xc3-w7x3: Patches a vulnerability when unencoded user inputs are rendered in the model. Malicious characters in these inputs can be used in splitting attacks.
- Header values.
\r
,\n
, and\u0000
values are now replaced with spaces. - Header names. Headers with invalid names are now dropped.
- Status reason phrases. Invalid phrases are now omitted.
- URI authority registered names. Requests with invalid reg-names now raise an exception.
- URI paths. Requests with invalid URI paths now raise an exception.
- Header values.