Akka Http 2.4.11.2 Security Patch Released!
May 03 2017
Johannes Rudolph

Dear hakkers,

We announce the immediate availability of the second security patch for the experimental Akka HTTP that was part of the 2.4.x development series. It contains an important security fix for a vulnerability that affects all Akka HTTP applications that use the routing DSL. The vulnerability allows a remote attacker to crash an Akka HTTP server with a simple request so it is highly recommended to update to Akka HTTP 2.4.11.2 as soon as possible. See the security announcement for more details.

Please note that for the latest developments of Akka HTTP you should switch to track its 10.0.x series - we strongly suggest upgrading to that version since it is the stable and maintained version of Akka HTTP, while the 2.4.11 version will only be receiving critical security updates for a while.

Compatibility notes

We strongly suggest upgrading to Akka 10.0.6 or later. Akka 10.0.x is backwards binary compatible with previous 10.0.x releases and Akka 2.4.x. This means that the new JARs are a drop-in replacement for the old one (but not the other way around) as long as your build does not enable the inliner (Scala-only restriction). It should be noted that Scala 2.12.x is is not binary compatible with Scala 2.11.x.

Changes:

This release only contains 2 additional commits over its predecessor to resolve the Accept header vulnerability.

Credits

One critical issue was closed since 2.4.11.1.

The complete list of closed issues can be found on the 2.4.11.2 milestone on github.

Happy hakking!

– The Akka Team

Past News Items
May 03 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.6, which is the sixth release of the Akka Http 10.0 series. It contains an...
May 02 2017
Dear hakkers, we—the Akka committers—are proud to announce Akka 2.5.1, which is the first maintenance release of Akka 2.5. Some notable improvements and bug fixes are: Limiting the number of...
May 02 2017
Dear hakkers, We are proud to announce Akka 2.4.18, which is another maintenance release of Akka 2.4. Some notable improvements and bug fixes are: Limiting number of concurrent PersistentActor recoveries,...
Apr 13 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0. Since the release of Akka 2.4.0 (already 18 months ago) we have incrementally added...
Mar 30 2017
Dear hakkers, we—the Akka committers—are pleased to be able to announce the availability of Akka 2.5.0-RC2 (SECOND RELEASE CANDIDATE). This is what we intend to ship as 2.5.0 final unless...
Mar 17 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.5, which is the fifth maintenance release of the Akka Http 10.0 series. It is...
Mar 17 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0-RC1 (FIRST RELEASE CANDIDATE). Since the release of Akka 2.4.0 (already 18 months ago) we...
Feb 24 2017
Dear hakkers, we—the Akka committers—proudly present the second development milestone for Akka 2.5. Since the release of Akka 2.4.0 (already 17 months ago) we have incrementally added many new features...