• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

• Auto-port 4.1: MQTT: Allow MQTT 5 CONNECT with password only by @netty-project-bot in https://github.com/netty/netty/pull/16834
• ChannelInitializer: correct misleading comment on exceptionCaught route by @daguimu in https://github.com/netty/netty/pull/16847
• HTTP/2: Parse request-target path like Vert.x (4.1 backport) by @yawkat in https://github.com/netty/netty/pull/16856
• HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted by @normanmaurer in https://github.com/netty/netty/pull/16861
• IpSubnetFilter: Correctly handle ipv6 by @normanmaurer in https://github.com/netty/netty/pull/16860
• Configurable bound on RedisArrayAggregator by @normanmaurer in https://github.com/netty/netty/pull/16858
• Redis: Limit decoded length by @normanmaurer in https://github.com/netty/netty/pull/16859
• DNS: Ensure query id is not predictible by @normanmaurer in https://github.com/netty/netty/pull/16870
• Wrapping plain trust manager silently disables hostname verification by @normanmaurer in https://github.com/netty/netty/pull/16868
• MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @daguimu in https://github.com/netty/netty/pull/16852
• Fix revapi warnings (#16885) by @chrisvest in https://github.com/netty/netty/pull/16892
• HAProxy: Reject HAProxyMessages with malformated TLV and not leak memory by @normanmaurer in https://github.com/netty/netty/pull/16866
• SSL: Use sane defaults as limits for the client hello length and timeout by @normanmaurer in https://github.com/netty/netty/pull/16871
• DNS: Only cache CNAME if part of the queried domain by @normanmaurer in https://github.com/netty/netty/pull/16873
• HTTP/2: Enforce max concurrent streams for misbehaving clients by @normanmaurer in https://github.com/netty/netty/pull/16876
• Dns: Insufficient Bailiwick Validation for NS Records by @normanmaurer in https://github.com/netty/netty/pull/16877
• HTTP2: DelegatingDecompressorFrameListener must release memory in all cases by @normanmaurer in https://github.com/netty/netty/pull/16880
• Pass maxAllocation to Brotli and Zstd decoders (#16844) by @chrisvest in https://github.com/netty/netty/pull/16886
• HTTP/2: Treat clients MAX_HEADER_LIST_SIZE as advisory by @normanmaurer in https://github.com/netty/netty/pull/16883
• Auto-port 4.1: Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @netty-project-bot in https://github.com/netty/netty/pull/16894
• HAProxy: Fix ByteBuf leak when parsing nested SSL TLVs by @normanmaurer in https://github.com/netty/netty/pull/16881
• Epoll / Kqueue: Correctly handle receive of FD by @normanmaurer in https://github.com/netty/netty/pull/16872
• SCTP: Limit the number of inflight incomplete SCTP messages and the number of fragments by @normanmaurer in https://github.com/netty/netty/pull/16875
• Redis: Correctly release incomplete message on removal when using RedisArrayAggregator by @normanmaurer in https://github.com/netty/netty/pull/16878
• Redis: Limit the maximum number of nested arrays by @normanmaurer in https://github.com/netty/netty/pull/16882

Full Changelog: https://github.com/netty/netty/compare/netty-4.1.134.Final...netty-4.1.135.Final

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.310...7.21.0-rc.311

• CVE-2026-48059: memory exhaustion in io.netty:netty-codec-haproxy (high).
• CVE-2026-47691: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-XXXXX: DDoS in io.netty:netty-codec-http2.
• CVE-2026-XXXXX: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44250: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-44890: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-XXXXX: information disclosure and denial of service in io.netty:netty-codec-classes-quic.
• CVE-2026-44249: IPv6 subnet filter bypass in io.netty:netty-handler (high).
• CVE-2026-XXXXX: request smuggling in io.netty:netty-codec-http.
• CVE-2026-44892: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-44893: memory leak in io.netty:netty-codec-haproxy (high).
• CVE-2026-44894: traffic amplification in io.netty:netty-codec-classes-quic (high).
• CVE-2026-XXXXX: TLS hostname verification accidentally disabled in io.netty:netty-handler (high).
• CVE-2026-45673: DNS cache poisoning in io.netty:netty-resolver-dns.
• CVE-2026-45416: excessive memory usage from SNIHandler in io.netty:netty-handler (high).
• CVE-2026-45536: file descriptor leak in io.netty:netty-transport-native-epoll and io.netty:netty-transport-native-kqueue.
• CVE-2026-45674: DNS cache poisoning in io.netty:netty-resolver-dns (high).
• CVE-2026-46340: memory exhaustion in io.netty:netty-transport-sctp (high).
• CVE-2026-47244: denial of service in io.netty:netty-codec-http2.
• CVE-2026-48006: memory exhaustion in io.netty:netty-codec-redis (high).
• CVE-2026-48748: memory exhaustion in io.netty:netty-codec-http3 (high).
• CVE-2026-48043: memory exhaustion in io.netty:netty-codec-http2.

• Fix race in io.netty.channel.uring.IoUringIoHandler.wakeup by @dreamlike-ocean in https://github.com/netty/netty/pull/16836
• HTTP/2: Parse request-target path like Vert.x by @yawkat in https://github.com/netty/netty/pull/16810
• Auto-port 4.2: ChannelInitializer: correct misleading comment on exceptionCaught route by @netty-project-bot in https://github.com/netty/netty/pull/16853
• FlowControlHandler: Suppress duplicate channelReadComplete after draining queue (#15053) by @schiemon in https://github.com/netty/netty/pull/16837
• Pass maxAllocation to Brotli and Zstd decoders by @fedinskiy in https://github.com/netty/netty/pull/16844
• Fix revapi warnings by @chrisvest in https://github.com/netty/netty/pull/16885
• Fix SCTP and Redis tests by @chrisvest in https://github.com/netty/netty/pull/16893
• Add maxWindowLog parameter to ZstdDecoder to bound memory allocation by @skyguard1 in https://github.com/netty/netty/pull/16850
• Auto-port 4.2: MQTT: Reject malformed no-payload packets with non-zero Remaining Length by @netty-project-bot in https://github.com/netty/netty/pull/16890

• @schiemon made their first contribution in https://github.com/netty/netty/pull/16837
• @fedinskiy made their first contribution in https://github.com/netty/netty/pull/16844

Full Changelog: https://github.com/netty/netty/compare/netty-4.2.14.Final...netty-4.2.15.Final

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.309...7.21.0-rc.310

• a1e0af7: [rb] add driver finder tests to use selenium manager when applicable (#17597) (Titus Fortner) #17597
• b02c5f2: [build] allow ruby and python to run remote tests on windows (#17603) (Titus Fortner) #17603
• 2279f8e: [build] allow bazel workflow to pass when rerun step is successful (Titus Fortner)
• 7b17d22: [rb] update test guards (Titus Fortner)
• 6a68466: [py] Scope py_test_suite shared library to support files only (#17600) (David Burns) #17600
• 33365ce: [java][BiDi] add clearListners via browsingContextIds for inspectors (#17376) (Swastik Baranwal) #17376
• fac1942: [py] Extract actions subpackage into //py:common_actions (#17605) (David Burns) #17605
• 2eaf118: [rust] Switch reqwest TLS backend from aws-lc-rs to ring (#17589) (David Burns) #17589
• e4eac88: [py] Extract feature-specific modules from //py:common (#17606) (David Burns) #17606

• Disable use of Unsafe by default when Java 25or newer is discovered.
• Check for escape when creating folders in Plugin.Engine.
• Improve OpenJ9 attachment.
• Avoid null pointer on missing annotation types.
• Improve diagnostics for external agent attachment.
• Improve on Gradle context discovery.
• Support Android libraries on AGP9 or newer.
• Update ASM.

Full Changelog: https://github.com/Activiti/Activiti/compare/7.21.0-rc.308...7.21.0-rc.309

2026-06-01 Release of logback version 1.5.34

• In case certain StackTraceElement values returned by the Throwable.getStackTrace method are null, StackTraceElementProxy substitutes a dummy instance instead of throwing an IllegalArgumentException. This resolves issues #1040, reported by Naotsugu Kobayashi.

• HardenedObjectInputStream will now throw an InvalidClassException during deserialization attempts of Proxy classes. This change addresses potential deserialization whitelist bypass vulnerability reported by York Shen and registered as CVE-2026-10532.

• A bitwise identical binary of this version can be reproduced by building from source code at commit e62272ac152469aec1ede056c3c7d0d7314e7bfe associated with the tag v_1.5.34. This release was built using Java "21" 2023-10-17 LTS build 21.0.1.+12-LTS-29 under Linux Debian 11.6.

• 99ddba6: [build] Automated Browser Version Update (#17596) (Selenium CI Bot) #17596
• 8264ad7: [build] reduce downloaded artifacts (#17598) (Titus Fortner) #17598
• 3e3fb19: [build] surface failures from archive rules (#17594) (Titus Fortner) #17594
• 2b36081: [build] only build debug artifacts when releasing (#17595) (Titus Fortner) #17595
• f70c926: [java] publish selenium-devtools-latest artifact (#17562) (Titus Fortner) #17562
• 09d8f84: [java] support driving Electron apps with ElectronOptions and ElectronDriver (#17559) (Titus Fortner) #17559
• 4a6290c: [build] use Bazel repo contents cache instead of external-cache (#17602) (Titus Fortner) #17602

• fix: implement phase-2 poly-expression inference for method/construct or references (JLS §15.12.2.7) (PR #5031 by @jlerbsc)
• Enforce JLS §14.11.1 language-level rules for multi-pattern case labels (PR #5010 by @jlerbsc)

• build: add OSGi support to all deployable modules (#1477) (PR #5011 by @ethan-godden)

• fix: resolve constructor references via context rather than constructed type (PR #5030 by @jlerbsc)
• fix: handle wildcard actualType in matchTypeParameters (issue #3751) (PR #5029 by @jlerbsc)
• Fix: UnsupportedOperationException when resolving method calls inside lambdas in Comparator.comparing (#2716) (PR #5026 by @jlerbsc)
• fix: resolve constructor parameter type for lambda in ObjectCreationExpr (PR #5024 by @jlerbsc)
• fix(FunctionalInterfaceLogic): return empty() for non-reference types (#3625) (PR #5022 by @jlerbsc)
• Fix lambda type inference for fully-qualified static method calls (#3476 (PR #5019 by @jlerbsc)
• fix(grammar): allow text block ending in escaped backslash before closing """ (PR #5017 by @ethan-godden)
• Fix parsing of multiple patterns in switch case labels (issue #4996) (PR #5009 by @jlerbsc)

• fix: resolve NameExpr to field when local variable with same name is declared later (PR #5025 by @jlerbsc)

Thank You to all contributors who worked on this release!

• @ethan-godden
• @jlerbsc