Dear hakkers,
We are pleased to announce a new patch release of Akka 2.5.
Users of akka-camel are recommended to update to Camel version 2.17.7 and akka-camel 2.5.4 due to a security vulnerability in Camel, see below.
Some notable improvements in 2.5.4 are:
- New PartitionHub for routing of elements to dynamic streams, #21880
- New timer API for scheduling messages in an actor to itself, #15733
- New affinity dispatcher, thanks to Zahari Dichev and Viktor Klang, #12035
- Support more than one role in Cluster aware routers, thanks to Sébastien Lorion, #23257
- Prioritized merge stream operator, thanks to Arpan Chaudhury, #22865
- Following the Reactive Streams 1.0.1 release yesterday, Akka Streams is now fully compatible with that revision of the standard (which is backwards compatible with 1.0.0) #23498
- Stages for restarting streams after a backoff, thanks to James Roper, #19950
A total of 53 issues were closed since 2.5.3. The complete list can be found on the 2.5.4 milestone on github.
Security vulnerability in Camel dependency
akka-camel had a dependency to camel-core 2.15.6 and that version of Camel’s Validation Component is vulnerable against SSRF via remote DTDs and XXE, as described in CVE-2017-5643. Therefore we have updated the Camel dependency to version 2.17.7 in Akka 2.5.4 and 2.4.20. If you are using akka-camel you should also update your dependencies of other Camel modules to 2.17.7.
This update of Camel version might cause that akka-camel is not fully backwards compatible with prior versions. We didn’t have to change the source code when updating but there might be changes in Camel that we are not aware of. It’s recommended that you recompile and test your applications and libraries when doing this update.
We would like to thank Thomas Szymanski for bringing this issue to our attention.
Credits
For this release we had the help of 47 committers – thank you all very much!
commits added removed
18 1537 2328 Arnout Engelen
16 1407 4158 Richard Imaoka
15 2354 480 Patrik Nordwall
12 80 55 Sebastian Harko
10 748 1968 Nafer Sanabria
10 290 72 Konrad `ktoso` Malawski
4 525 1470 gosubpl
4 334 1075 Atiq Sayyed
4 840 335 Johan Andrén
4 513 393 Viktor Klang
4 13 22 Ryan Brideau
3 911 1207 Martynas Mickevičius
3 48 12 Hawstein
3 2 15 László van den Hoek
2 296 24 Josep Prat
2 82 82 Jimin Hsieh
1 1342 136 Zahari Dichev
1 1173 3 James Roper
1 444 95 Sébastien Lorion
1 329 3 Arpan Chaudhury
1 149 7 Kirill Yankov
1 30 24 Heiko Seeberger
1 36 1 Nicolas Vollmar
1 30 3 Gilad Hoch
1 16 16 Patryk Najda
1 15 5 Jim Riordan
1 12 6 Jan Ypma
1 18 0 Alexander Golubev
1 16 1 Den Kovalevsky
1 9 6 Daniele Torelli
1 7 1 Johannes Rudolph
1 3 3 Dale Wijnand
1 3 3 Evander Otieno
1 2 2 Rafael Avila
1 2 2 Francis De Brabandere
1 2 2 Oliver Lockwood
1 2 2 Sjoerd Mulder
1 1 1 kellen
1 1 1 Dhirendra Kumar Kashyap
1 1 1 Thomas Szymanski
1 1 1 Ifeanyi Ubah
1 1 1 Vitor de Moraes
1 1 1 Manu Zhang
1 1 1 Jules Ivanic
1 1 1 Christopher Batey
1 1 1 Evgeniy Abduzhapparov
1 1 1 synox
Happy hakking!
– The Akka Team