Akka HTTP 10.1.5 / 10.0.14 Security Fix Released

Akka Akka HTTP
, ,
1

Dear hakkers,

we are happy to announce the 10.1.5 and 10.0.14 releases of Akka HTTP. Both releases fix the DoS vulnerability in the decodeRequest directive that was announced [last week] (https://akka.io/blog/news/2018/08/30/akka-http-dos-vulnerability-found). Thanks @tewe and @TheEmacsShibe who brought that issue to our attention.

More information about the vulnerability can be found here.

Please update as soon as possible.

Migration Notes

To avoid excessive memory usage we introduced two new limits that apply per default:

  • akka.http.routing.decode-max-size: This limit applies when you use decodeRequest to limit the amount of decompressed data. The default limit is 8 megabytes.
  • akka.http.parsing.max-to-strict-bytes: This limit applies when you use HttpEntity.toStrict or the toStrictEntity directive (and related directives). It will only collect up to the given amount data and fail
    otherwise. The default limit is 8 megabytes.

Depending on your application requirements, you may want to change these settings.

Changes in 10.1.5 since 10.1.4

For a full overview you can also see the 10.1.5 milestone:

  • Restrict the maximum size of a request entity after uncompressing it with decodeRequest #2137
  • Restrict the maximum size of a request entity when reading it into memory with toStrict #2186
  • Correctly set a default parallelism value when none is specified for HTTP/2 #2165
  • Avoid matching an empty pattern when using PathMatcher.repeat #2097
  • Add ServerSentEvent.heartbeat() to the Java DSL #2187

Changes in 10.0.14 since 10.0.13

For a full overview you can also see the 10.0.14 milestone:

  • Restrict the maximum size of a request entity after uncompressing it with decodeRequest #2137
  • Restrict the maximum size of a request entity when reading it into memory with toStrict #2186
  • Support parameters for custom media types (#2005)

Credits

The complete list of closed issues can be found on the 10.1.5
and 10.0.14 milestones on GitHub.

For the 10.1.5 release we had the help of 6 contributors - thank you all very much!

Credits:
commits added removed
   10     584     141 Arnout Engelen
    4     169      39 Johannes Rudolph
    1       3       3 Christopher Batey
    1      55      18 wholock
    1      24       0 Josep Prat
    1       1       1 Markus Hauck

Happy hakking!

– The Akka Team & Akka Http Contributors