Release v2.11.14
·
1376 commits
to main
since this release
v2.11.14
neilalexander
Neil
This tag was signed with the committer’s verified signature.
neilalexander
Neil
797d251
This commit was signed with the committer’s verified signature.
neilalexander
Neil
Changelog
Refer to the 2.11 Upgrade Guide for backwards compatibility notes with 2.10.x.
Go Version
- 1.25.8
Dependencies
- golang.org/x/crypto v0.48.0 (#7874)
- golang.org/x/sys v0.42.0 (#7923)
- golang.org/x/time v0.15.0 (#7923)
CVEs
- Fixes CVE-2026-29785 (affects systems with leafnode compression enabled)
- Fixes CVE-2026-27889 (affects systems with WebSockets enabled)
Fixed
Leafnodes
- Receiving a leafnode subscription before negotiating compression should no longer result in a server panic
WebSockets
- Fix invalid parsing of 64-bit payload lengths, which could lead to a server panic
- Correctly reject compressed frames when compression was not negotiated as a part of the handshake
- The
Originheader validation now validates the protocol scheme as well as host and port - Gracefully handle failed connection upgrades
- The
CLOSEframe lengths and status codes are now validated correctly - The compressor state is correctly reset when a max payload error occurs
- Empty compressed buffers should no longer result in a server panic