Quarkus 3.2.10.Final released - Maintenance LTS release
Quarkus 3.2.10.Final, the tenth maintenance release of the 3.2 LTS release train has been released.
This release includes the following security-related fixes:
-
CVE-2023-5675 Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used
-
CVE-2023-6267 JSON payload getting processed prior to security checks when REST resources are used with annotations
-
CVE-2023-4043 org.eclipse.parsson/parsson: Denial of Service due to large number parsing
-
CVE-2023-48795 apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol
-
CVE-2023-22102 mysql-connector-java: Connector/J unspecified vulnerability
-
RESTEASY-3380 Source references exposed in RESTEasy error response
And the following component upgrades:
-
Apache commons-compress 1.24.0 → 1.25.0
-
Apache SSHD 2.10.0 → 2.12.0
-
Eclipse Parsson 1.1.2 → 1.1.6
-
Hibernate ORM 6.2.13.Final → 6.2.18.Final
-
Hibernate Reactive 2.0.6.Final → 2.0.8.Final
-
Jandex 3.1.2 → 3.1.6
-
MySQL JDBC driver version 8.0.30 → 8.2.0
-
RESTEasy 6.2.4.Final → 6.2.7.Final
-
SmallRye Reactive Messaging 4.6.0 → 4.6.1
If you are not already using a 3.2 release, please refer to our migration guide.
Known issues include:
It should be a safe upgrade for anyone already using a 3.2 release. However, some users may potentially run into the following couple of issues.
Using CDI interceptors to resolve multitenant OIDC configuration fails due to security fix in 3.2.10.Final
The security fix implemented in Red Hat build of Quarkus version 3.2.10.Final to address CVE-2023-6267 introduced a breaking change.
This breaking change is relevant only when using multiple OIDC providers with RestEasy Classic and occurs if you use Context and Dependency Injection (CDI) interceptors to programmatically resolve OIDC tenant configuration identifiers.
Before this fix, CDI interceptors ran before authentication checks. After introducing the fix, authentication occurs before CDI interceptors are triggered. Therefore, using CDI interceptors to resolve multiple OIDC provider configuration identifiers no longer works. RestEasy Reactive applications are not affected.
Workaround: Use the quarkus.oidc.TenantResolver
method to resolve the current OIDC configuration tenant ID.
For more information, see the Resolving tenant identifiers with annotations section of the Quarkus “Using OpenID Connect (OIDC) multitenancy” guide.
Change of the MySQL JDBC driver Maven artifact groupId and artifactId
As a consequence of fixing CVE-2023-22102, the groupId and artifactId of the MySQL JDBC driver in the quarkus-bom
has changed from
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.30</version>
</dependency>
to
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>8.2.0</version>
</dependency>
Projects consuming it as a dependency of io.quarkus:quarkus-jdbc-mysql
will not be affected by this change. However, projects that had a direct dependency on mysql:mysql-connector-java
relying on quarkus-bom
to manage its version will have to update the groupId and artifactId to the new ones mentioned above.
Registro completo de cambios
You can get the full changelog of 3.2.10.Final on GitHub.
Únete a nosotros
Valoramos mucho tus comentarios, así que por favor reporta errores, solicita mejoras… ¡Construyamos algo grandioso juntos!
Si eres un usuario de Quarkus o simplemente tienes curiosidad, no seas tímido y únete a nuestra acogedora comunidad:
-
proporcionar retroalimentación en GitHub;
-
escribir algo de código y enviar push a PR;
-
comentar con nosotros en Zulip y en nuestra lista de correo;
-
hacer tus preguntas en Stack Overflow.