Quarkus 2.10.3.Final released - Fixes CVE-2022-2466
2.10.0.CR1 introduced a major security issue known as CVE-2022-2466 in the SmallRye GraphQL server extension and all the 2.10.x releases are affected (together with 2.11.0.CR1). 2.10.3.Final fixes it and the fix will also be included in the upcoming 2.11.0.Final. You are only affected by this issue if you are exposing GraphQL services.
The context of the requests was not properly terminated and, for a given thread, all further requests would use the context of the first request the thread treated. The context includes authentication if your GraphQL services require authentication.
This is an extremely serious issue so we urge anyone who has already upgraded to 2.10.x and is exposing GraphQL services to upgrade to 2.10.3.Final.
Note that 2.9 and earlier are not affected by the issue.
This version also contains some minor additional fixes.
If you are not using 2.10 already, please refer to the 2.10 migration guide.
Registro completo de cambios
You can get the full changelog of 2.10.3.Final on GitHub.
Únete a nosotros
Valoramos mucho tus comentarios, así que por favor reporta errores, solicita mejoras… ¡Construyamos algo grandioso juntos!
Si eres un usuario de Quarkus o simplemente tienes curiosidad, no seas tímido y únete a nuestra acogedora comunidad:
-
proporcionar retroalimentación en GitHub;
-
escribir algo de código y enviar push a PR;
-
comentar con nosotros en Zulip y en nuestra lista de correo;
-
hacer tus preguntas en Stack Overflow.