Akka Http 10.0.6 Security Update Released!
May 03 2017
Johannes Rudolph

Dear hakkers,

we — the Akka HTTP committers — are happy to announce Akka Http 10.0.6, which is the sixth release of the Akka Http 10.0 series. It contains an important security fix for a vulnerability that affects all Akka HTTP applications that use the Akka HTTP routing DSL. The vulnerability allows a remote attacker to crash an Akka HTTP server with a simple request leading to a denial of service. It is highly recommended to update to Akka HTTP 10.0.6 as soon as possible. See the security announcement for more details.

Please subscribe to the akka-security mailing list to be notified promptly about future security issues.

This update also contains several maintenance fixes and improvements as detailed below.

Compatibility notes

This version is compatible with Akka 2.4.x as well as the current 2.5.1, so we encourage you to use Akka 2.5 with this version, as the new completely redesigned materializer in Akka Streams can result in various performance and memory usage improvements across the board.

If you want to use Akka HTTP together with Akka 2.5.1 make sure to include a dependency to akka-stream 2.5.1 and not only to akka-actor 2.5.1 (otherwise, your app may fail at runtime because of incompatibilities between a 2.4.x version of akka-stream and a 2.5.x version of akka-actor).

Akka 10.0.x is backwards binary compatible with previous 10.0.x releases and Akka 2.4.x. This means that the new JARs are a drop-in replacement for the old one (but not the other way around) as long as your build does not enable the inliner (Scala-only restriction). It should be noted that Scala 2.12.x is is not binary compatible with Scala 2.11.x.

Notable changes:

Improvements

akka-http-core
  • Make response parser more relaxed on accepting status line without reason message (#981)
  • Use media type parameters in content negotiation (#963)
  • Small performance improvements (#999, #1032)
  • Added HttpMessage.transformEntityDataBytes (#771)
  • Allow binding server with HTTP/2 support via configuration flag with Http().bindAndHandleAsync (#463)
akka-http
  • Make marshaller composition more lazy to prevent redundant marshalling when using Marshaller.oneOf (#1019)
  • Allow Java-implemented ContentTypeResolver (#360)
  • Java DSL routing complete now has override that takesResponseEntity as a parameter instead of RequestEntity (#982)
  • Improved usage and documentation of Encoder / Decoder on the Scala and Java side (#771)
akka-http2-support
  • Refactoring: move handling of per-stream frames to dedicated state handlers (#1064)
Documentation
  • Provide Decoding Response example for Java (#760)
  • Add Java example to extract header value with default value (#639)
  • Add HTTP custom method example (#954)
  • Smaller fixes and additions
Build + Infrastructure
  • Add OSGi to project in order to release each project with OSGi bundle headers (#574)
  • Rename root project to ‘akka-http-root’ (#1030)

Bug Fixes

akka-http-core
  • Ignore unsupported */xyz media types (#1072)
  • Exclude port when rendering X-Forwarded-For and X-Real-Ip headers (#440)
  • Fix NPE when accessing static Java constant fields (#936)
  • Make sure pool log messages have “PoolGateway” set as logClass for easier filtering (#1013)
akka-http
  • Move special non-2xx handling from RequestContextImpl to fromStatusCodeAndHeadersAndValue marshaller (#1072)
  • Handle failure while parsing the URI in parameter extraction (#1043)
  • Make extractStrictEntity provide strict entity for inner routes (#961)
  • Enable javadsl to unmarshal with default ExecutionContext (#967)
  • Smaller fixes for HttpApp
akka-http2-support
  • Fix memory leak in ALPN switcher (#886)

Credits

A total 50 issues were closed since 10.0.5.

The complete list of closed issues can be found on the 10.0.6 milestones on github.

For this release we had the help of 14 contributors – thank you all very much!

Credits:

commits  added  removed
     16    581      104 Konrad `ktoso` Malawski
     13    320       93 Josep Prat
     10    464      210 Johannes Rudolph
      5    119       30 Arnout Engelen
      4    131       44 Jonas Fonseca
      4     37       13 Bartłomiej Tomala
      3    102       13 michael-smith
      2      3        3 Barnabás Oláh
      1     39        8 Jan Ypma
      1     21        9 Aurélien Thieriot
      1     21        1 Richard S. Imaoka
      1     19        2 Hugh
      1      6        4 Patrik Nordwall
      1      1        1 MiR

Happy hakking!

– The Akka Team

Past News Items
May 03 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.6, which is the sixth release of the Akka Http 10.0 series. It contains an...
May 02 2017
Dear hakkers, we—the Akka committers—are proud to announce Akka 2.5.1, which is the first maintenance release of Akka 2.5. Some notable improvements and bug fixes are: Limiting the number of...
May 02 2017
Dear hakkers, We are proud to announce Akka 2.4.18, which is another maintenance release of Akka 2.4. Some notable improvements and bug fixes are: Limiting number of concurrent PersistentActor recoveries,...
Apr 13 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0. Since the release of Akka 2.4.0 (already 18 months ago) we have incrementally added...
Mar 30 2017
Dear hakkers, we—the Akka committers—are pleased to be able to announce the availability of Akka 2.5.0-RC2 (SECOND RELEASE CANDIDATE). This is what we intend to ship as 2.5.0 final unless...
Mar 17 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.5, which is the fifth maintenance release of the Akka Http 10.0 series. It is...
Mar 17 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0-RC1 (FIRST RELEASE CANDIDATE). Since the release of Akka 2.4.0 (already 18 months ago) we...
Feb 24 2017
Dear hakkers, we—the Akka committers—proudly present the second development milestone for Akka 2.5. Since the release of Akka 2.4.0 (already 17 months ago) we have incrementally added many new features...