Quarkus 3.2.10.Final released - Maintenance LTS release
Quarkus 3.2.10.Final, the tenth maintenance release of the 3.2 LTS release train has been released.
This release includes the following security-related fixes:
-
CVE-2023-5675 Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used
-
CVE-2023-6267 JSON payload getting processed prior to security checks when REST resources are used with annotations
-
CVE-2023-4043 org.eclipse.parsson/parsson: Denial of Service due to large number parsing
-
CVE-2023-48795 apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol
-
CVE-2023-22102 mysql-connector-java: Connector/J unspecified vulnerability
-
RESTEASY-3380 Source references exposed in RESTEasy error response
And the following component upgrades:
-
Apache commons-compress 1.24.0 → 1.25.0
-
Apache SSHD 2.10.0 → 2.12.0
-
Eclipse Parsson 1.1.2 → 1.1.6
-
Hibernate ORM 6.2.13.Final → 6.2.18.Final
-
Hibernate Reactive 2.0.6.Final → 2.0.8.Final
-
Jandex 3.1.2 → 3.1.6
-
MySQL JDBC driver version 8.0.30 → 8.2.0
-
RESTEasy 6.2.4.Final → 6.2.7.Final
-
SmallRye Reactive Messaging 4.6.0 → 4.6.1
If you are not already using a 3.2 release, please refer to our migration guide.
Known issues include:
It should be a safe upgrade for anyone already using a 3.2 release. However, some users may potentially run into the following couple of issues.
Using CDI interceptors to resolve multitenant OIDC configuration fails due to security fix in 3.2.10.Final
The security fix implemented in Red Hat build of Quarkus version 3.2.10.Final to address CVE-2023-6267 introduced a breaking change.
This breaking change is relevant only when using multiple OIDC providers with RestEasy Classic and occurs if you use Context and Dependency Injection (CDI) interceptors to programmatically resolve OIDC tenant configuration identifiers.
Before this fix, CDI interceptors ran before authentication checks. After introducing the fix, authentication occurs before CDI interceptors are triggered. Therefore, using CDI interceptors to resolve multiple OIDC provider configuration identifiers no longer works. RestEasy Reactive applications are not affected.
Workaround: Use the quarkus.oidc.TenantResolver method to resolve the current OIDC configuration tenant ID.
For more information, see the Resolving tenant identifiers with annotations section of the Quarkus “Using OpenID Connect (OIDC) multitenancy” guide.
Change of the MySQL JDBC driver Maven artifact groupId and artifactId
As a consequence of fixing CVE-2023-22102, the groupId and artifactId of the MySQL JDBC driver in the quarkus-bom has changed from
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.30</version>
</dependency>to
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>8.2.0</version>
</dependency>Projects consuming it as a dependency of io.quarkus:quarkus-jdbc-mysql will not be affected by this change. However, projects that had a direct dependency on mysql:mysql-connector-java relying on quarkus-bom to manage its version will have to update the groupId and artifactId to the new ones mentioned above.
完全な変更履歴
You can get the full changelog of 3.2.10.Final on GitHub.
参加のお誘い
私達は皆様からのフィードバックに重きを置いています。バグ報告、改善要望を是非お願いします。一緒に素晴らしいものを作り上げていきましょう!
Quarkusユーザーの場合でも、単に興味を持っているだけの場合でも、恥ずかしがらずにコミュニティに参加して下さい!:
-
GitHub でフィードバック
-
コードを作成し、 プルリクエスト を送信
-
Stack Overflow で質問
