Update dependency io.undertow:undertow-core to v2.3.18.Final

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.undertow:undertow-core (source)	2.3.0.Alpha1 -> 2.3.18.Final

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

undertow-io/undertow (io.undertow:undertow-core)

v2.3.18.Final: v.2.3.18.Final

Compare Source

Release 2.3.18.Final
Full list of issues: view in Jira

    Release Notes - Undertow - Version 2.3.18.Final
                                                    

Bug

• [UNDERTOW-2333] - Undertow read/write timeout should not apply to WebSockets or SSE
• [UNDERTOW-2412] - Read stored json with default UTF-8 encoding
• [UNDERTOW-2422] - Response Status Line protocol is hard-coded to "HTTP/1.1"
• [UNDERTOW-2436] - Race condition for HttpServerExchange state allows missed FLAG_REQUEST_TERMINATED flag with async requests and subsequent connection stall
• [UNDERTOW-2444] - H2 violation of protocol specification in RST_STREAM scenarios
• [UNDERTOW-2445] - CI Build is broken: actions/upload-artifact v1 and v2 are deprecated
• [UNDERTOW-2446] - HttpServletRequestImpl.getParts may throw exception after already loading parts
• [UNDERTOW-2448] - Broken responses after UNDERTOW-2425

v2.3.17.Final

Compare Source

Includes CVEs: CVE-2024-7885

    Release Notes - Undertow - Version 2.3.17.Final
                                                    

Bug

• [UNDERTOW-2429] - CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage

v2.3.16.Final

Compare Source

Release Notes - Undertow - Version 2.3.16.Final

Bug

• [UNDERTOW-2256] - Resource predicate presentation differs depending on how it is set up
• [UNDERTOW-2312] - multibytes language in URL request to http/https are broken in EAP access log.
• [UNDERTOW-2381] - Invalid/benevolent hpack decoding of huffman-encoded string literal with EOS symbol
• [UNDERTOW-2424] - Undertow produces malformed Http/1.1 responses under heavy concurrent load
• [UNDERTOW-2425] - io.undertow.servlet.spec.ServletPrintWriter.close() high CPU when encoding characters on previously errored writer

v2.3.15.Final

Compare Source

v2.3.14.Final

Compare Source

Includes CVES: CVE-2024-6162 CVE-2024-27316 CVE-2023-5685

    Release Notes - Undertow - Version 2.3.14.Final
    

Sub-task

• [UNDERTOW-2400] - ResponseWriterTestCase fails because ServletinputStream is closed before read

Bug

• [UNDERTOW-2332] - CachingResource mishandling with TTL =0 and FS exhaustion
• [UNDERTOW-2334] - CVE-2024-6162 url-encoded request path information can be broken on ajp-listener
• [UNDERTOW-2378] - Adjust properly session timeout also in case when custom auth mechanisms are used
• [UNDERTOW-2383] - Canonicalized query string in redirect location can break included links
• [UNDERTOW-2385] - Memory leak in ThreadLocalCache
• [UNDERTOW-2389] - DefaultByteBufferPool leaks buffers for released threads
• [UNDERTOW-2405] - CVE-2024-27316 HTTP-2: httpd: CONTINUATION frames DoS
• [UNDERTOW-2407] - NullPointerException on DefaultByteBufferPool.close
• [UNDERTOW-2409] - Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Component Upgrade

• [UNDERTOW-2391] - CVE-2023-5685 Upgrade XNIO to 3.8.16.Final

Enhancement

• [UNDERTOW-2408] - Make fields final in DefaultByteBufferPool when appliable

v2.3.13.Final

Compare Source

v2.3.12.Final

Compare Source

v2.3.11.Final

Compare Source

v2.3.10.Final

Compare Source

v2.3.9.Final

Compare Source

v2.3.8.Final

Compare Source

v2.3.7.Final

Compare Source

v2.3.6.Final

Compare Source

v2.3.5.Final

Compare Source

v2.3.4.Final

Compare Source

v2.3.3.Final

Compare Source

v2.3.2.Final

Compare Source

v2.3.1.Final

Compare Source

v2.3.0.Final

Compare Source

v2.3.0.Beta1

Compare Source

v2.3.0.Alpha2

Compare Source

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[socket-security]

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: maven/io.undertow/[email protected]

View full report↗︎

[github-actions]

Stale pull request message

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (2.3.18.Final). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.