• CVE-2026-42586 (netty-codec-redis)
• CVE-2026-42578 (netty-handler-proxy)
• CVE-2026-42577 (netty-transport-native-epoll)
• CVE-2026-42587 (netty-codec-http, netty-codec-http2)
• CVE-2026-41417 (netty-codec-http)
• CVE-2026-42581 (netty-codec-http)
• CVE-2026-42580 (netty-codec-http)
• CVE-2026-42585 (netty-codec-http)
• CVE-2026-42579 (netty-codec-dns)
• CVE-2026-42582 (netty-codec-http3)
• CVE-2026-42583 (netty-codec, netty-codec-compression)
• CVE-2026-42584 (netty-codec-http)
• CVE-2026-XXXXX (netty-codec-mqtt)

• Kqueue: sendfile EINTR doesn't advance offset — data duplication by @normanmaurer in https://github.com/netty/netty/pull/16544
• Replace usage of strerror with thread-safe alternative by @normanmaurer in https://github.com/netty/netty/pull/16547
• Fix implementation of strerror_r_xsi for GNU by @normanmaurer in https://github.com/netty/netty/pull/16546
• Lazy init ArrayList in DefaultHeaders.getAll by @doom369 in https://github.com/netty/netty/pull/16526
• Less logging in AWS-LC build by @chrisvest in https://github.com/netty/netty/pull/16565
• Ensure the CRYPTO_BUFFER_POOL is also freed when we fail creating the SSLContext by @normanmaurer in https://github.com/netty/netty/pull/16545
• Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by @netty-project-bot in https://github.com/netty/netty/pull/16543
• Avoid leak in PemReader on OutOfDirectMemoryError by @raipc in https://github.com/netty/netty/pull/16551
• IoUring: Disable test while we debug to unblock other builds by @normanmaurer in https://github.com/netty/netty/pull/16581
• Include user properties and subscription IDs in MqttProperties#isEmpty by @ShadowySpirits in https://github.com/netty/netty/pull/16575
• Native DNS resolver: Guard against malloc failures by @normanmaurer in https://github.com/netty/netty/pull/16559
• Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by @netty-project-bot in https://github.com/netty/netty/pull/16578
• Fix parsing HTTP chunks with multiple extensions by @chrisvest in https://github.com/netty/netty/pull/16579
• Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by @dependabot[bot] in https://github.com/netty/netty/pull/16572
• Revert to PR build to Ubuntu 22.04 by @chrisvest in https://github.com/netty/netty/pull/16595
• Native transports: Correctly create pipe when pipe2 is not supported by @normanmaurer in https://github.com/netty/netty/pull/16592
• Epoll: Cleanup code to always return negative value on failure by @normanmaurer in https://github.com/netty/netty/pull/16591
• Fix component search fast path by @yawkat in https://github.com/netty/netty/pull/16548
• Stabilize read-only toStringMultipleThreads1 by @chrisvest in https://github.com/netty/netty/pull/16608
• Stabilize more AbstractByteBufTests by @chrisvest in https://github.com/netty/netty/pull/16611
• Remove note about needing 256-bit for PQC by @chrisvest in https://github.com/netty/netty/pull/16605
• Stabilize testSessionInvalidate for Conscrypt by @chrisvest in https://github.com/netty/netty/pull/16615
• Quic: Correctly handle SSL_CTX_new failures by @normanmaurer in https://github.com/netty/netty/pull/16622
• Make LocalIoHandle public by @rdicroce in https://github.com/netty/netty/pull/16621
• Quic: Fix shadowing of variable which leads to incorrectly handling errors by @normanmaurer in https://github.com/netty/netty/pull/16623
• Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by @netty-project-bot in https://github.com/netty/netty/pull/16629
• Fix shutdownInput bug in kqueue for empty recv buffer by @chrisvest in https://github.com/netty/netty/pull/16630
• fix FFM address semantics in directBufferAddress by @dreamlike-ocean in https://github.com/netty/netty/pull/16603
• HTTP2: Ensure HTTP2 preface is always send as first message by @normanmaurer in https://github.com/netty/netty/pull/16636
• Move Http2FrameCodecSubClassTest to correct package by @normanmaurer in https://github.com/netty/netty/pull/16640
• Kqueue: Fix usage of LOCAL_PEERPID by @normanmaurer in https://github.com/netty/netty/pull/16637
• Avoid ArrayQueue allocation in HttpServerCodec by @doom369 in https://github.com/netty/netty/pull/16596
• Fix file descriptor reuse bug in kqueue by @chrisvest in https://github.com/netty/netty/pull/16650
• Propagate exceptions from inner threads in buffer tests by @chrisvest in https://github.com/netty/netty/pull/16643
• Add maxFrameLength support to ProtobufVarint32FrameDecoder by @fru1tworld in https://github.com/netty/netty/pull/16633
• Avoid byte[] allocation in DefaultChannelId by @doom369 in https://github.com/netty/netty/pull/16631
• Bump BouncyCastle from 1.83 to 1.84 by @chrisvest in https://github.com/netty/netty/pull/16660
• HTTP2: Ensure HTTP2 preface is always send as first message (also on the server) by @normanmaurer in https://github.com/netty/netty/pull/16667
• Update outdated codec-http3 README.md by @fru1tworld in https://github.com/netty/netty/pull/16665
• Bump up netty-tcnative to 2.0.76.Final by @normanmaurer in https://github.com/netty/netty/pull/16669
• Fix IllegalReferenceCountException in AdaptiveByteBuf.deallocate() by @gzsombor in https://github.com/netty/netty/pull/16654
• Skip VarHandle init when unaligned access is supported by @Songdoeon in https://github.com/netty/netty/pull/16664
• Add generic FileRegion support in io_uring stream channel by @LuciferYang in https://github.com/netty/netty/pull/16571
• ByteBufAllocatorAllocPatternBenchmark: Ensure each index appears exactly once in releaseIndexes by @laosijikaichele in https://github.com/netty/netty/pull/16604
• Improve flaky NioSocketChannelTest by @chrisvest in https://github.com/netty/netty/pull/16679
• Deprecate ObjectCleaner and remove usage by @chrisvest in https://github.com/netty/netty/pull/16685
• Update to netty-tcnative 2.0.77.Final by @normanmaurer in https://github.com/netty/netty/pull/16687
• Avoid TCPFastOpen in KQueueCompositeBufferGatheringWriteTest by @chrisvest in https://github.com/netty/netty/pull/16697
• Update JUnit to 5.14.0 and fix leak scope handling by @yawkat in https://github.com/netty/netty/pull/16680
• Auto-port 4.2: Avoid NPE in JdkSslClientContext when TrustManagerFactory returns null by @netty-project-bot in https://github.com/netty/netty/pull/16702
• Avoid NPE in JdkSslServerContext when TrustManagerFactory returns nul… by @normanmaurer in https://github.com/netty/netty/pull/16700
• IoUring: Fix incorrect assertion which was triggered when two Channel… by @normanmaurer in https://github.com/netty/netty/pull/16705
• Epoll: Correctly delete fd from epoll if there is nothing to handle by @normanmaurer in https://github.com/netty/netty/pull/16689
• Update many dependencies by @chrisvest in https://github.com/netty/netty/pull/16707
• SCTP: Correctly handle SO_BACKLOG by @normanmaurer in https://github.com/netty/netty/pull/16714
• Load BouncyCastle providers independently by @chrisvest in https://github.com/netty/netty/pull/16710
• Add UBI9 devcontainer by @chrisvest in https://github.com/netty/netty/pull/16711
• Consolidate fake exceptions in HTTP/2 tests into Http2TestUtil by @fru1tworld in https://github.com/netty/netty/pull/16712
• Auto-port 4.2: Fix DiscardClient hang under -Dssl by using a client SSL context by @netty-project-bot in https://github.com/netty/netty/pull/16724
• Epoll: Use correct inital EpollIoOps by @normanmaurer in https://github.com/netty/netty/pull/16728
• Activate noPrintGC by default by @chrisvest in https://github.com/netty/netty/pull/16732
• H2: Add test for header value validation by @chrisvest in https://github.com/netty/netty/pull/16737

• @ShadowySpirits made their first contribution in https://github.com/netty/netty/pull/16575
• @fru1tworld made their first contribution in https://github.com/netty/netty/pull/16633
• @gzsombor made their first contribution in https://github.com/netty/netty/pull/16654
• @LuciferYang made their first contribution in https://github.com/netty/netty/pull/16571

Full Changelog: https://github.com/netty/netty/compare/netty-4.2.12.Final...netty-4.2.13.Final

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.213...7.21.0-rc.214

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.212...7.21.0-rc.213

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.211...7.21.0-rc.212

• #53933 - [3.34] Strip matrix parameters from request paths during HTTP security polic…

• #53929 - [3.35] Strip matrix parameters from request paths during HTTP security polic…

• Implement switch expr type extraction (PR #4968 by @mrjameshamilton)

• refactor(lexicalpreservation): introduce TextElementSequence API and migrate core classes (PR #4955 by @jlerbsc)
• refactor: Extract and centralize indentation logic in lexical preservation (PR #4952 by @jlerbsc)

• fix(grammar): allow empty component list in RecordPattern (PR #5008 by @jlerbsc)
• Fix: issue #4974 How to detect array.length ValueDeclaration (PR #5000 by @jlerbsc)
• Fix CommentInserter crash on compact classes (PR #4963 by @johannescoetzee)
• Resolve parsing issue for module-info classes with multiple exports (PR #4962 by @mrjameshamilton)
• Issue3365 (PR #4956 by @jlerbsc)
• Fix: issue 4949 Parsing issue in switch with yield with Java 25 parser configuration (PR #4950 by @jlerbsc)

• Add comprehensive test suite for lexical preserving printer rules (PR #4957 by @jlerbsc)

Thank You to all contributors who worked on this release!

• @mrjameshamilton
• @johannescoetzee
• @jlerbsc

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.210...7.21.0-rc.211