Quarkus 3.2.10.Final released - Maintenance LTS release
Quarkus 3.2.10.Final, the tenth maintenance release of the 3.2 LTS release train has been released.
This release includes the following security-related fixes:
-
CVE-2023-5675 Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used
-
CVE-2023-6267 JSON payload getting processed prior to security checks when REST resources are used with annotations
-
CVE-2023-4043 org.eclipse.parsson/parsson: Denial of Service due to large number parsing
-
CVE-2023-48795 apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol
-
CVE-2023-22102 mysql-connector-java: Connector/J unspecified vulnerability
-
RESTEASY-3380 Source references exposed in RESTEasy error response
And the following component upgrades:
-
Apache commons-compress 1.24.0 → 1.25.0
-
Apache SSHD 2.10.0 → 2.12.0
-
Eclipse Parsson 1.1.2 → 1.1.6
-
Hibernate ORM 6.2.13.Final → 6.2.18.Final
-
Hibernate Reactive 2.0.6.Final → 2.0.8.Final
-
Jandex 3.1.2 → 3.1.6
-
MySQL JDBC driver version 8.0.30 → 8.2.0
-
RESTEasy 6.2.4.Final → 6.2.7.Final
-
SmallRye Reactive Messaging 4.6.0 → 4.6.1
If you are not already using a 3.2 release, please refer to our migration guide.
Known issues include:
It should be a safe upgrade for anyone already using a 3.2 release. However, some users may potentially run into the following couple of issues.
Using CDI interceptors to resolve multitenant OIDC configuration fails due to security fix in 3.2.10.Final
The security fix implemented in Red Hat build of Quarkus version 3.2.10.Final to address CVE-2023-6267 introduced a breaking change.
This breaking change is relevant only when using multiple OIDC providers with RestEasy Classic and occurs if you use Context and Dependency Injection (CDI) interceptors to programmatically resolve OIDC tenant configuration identifiers.
Before this fix, CDI interceptors ran before authentication checks. After introducing the fix, authentication occurs before CDI interceptors are triggered. Therefore, using CDI interceptors to resolve multiple OIDC provider configuration identifiers no longer works. RestEasy Reactive applications are not affected.
Workaround: Use the quarkus.oidc.TenantResolver method to resolve the current OIDC configuration tenant ID.
For more information, see the Resolving tenant identifiers with annotations section of the Quarkus “Using OpenID Connect (OIDC) multitenancy” guide.
Change of the MySQL JDBC driver Maven artifact groupId and artifactId
As a consequence of fixing CVE-2023-22102, the groupId and artifactId of the MySQL JDBC driver in the quarkus-bom has changed from
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.30</version>
</dependency>to
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>8.2.0</version>
</dependency>Projects consuming it as a dependency of io.quarkus:quarkus-jdbc-mysql will not be affected by this change. However, projects that had a direct dependency on mysql:mysql-connector-java relying on quarkus-bom to manage its version will have to update the groupId and artifactId to the new ones mentioned above.
Full changelog
You can get the full changelog of 3.2.10.Final on GitHub.
Come Join Us
We value your feedback a lot so please report bugs, ask for improvements… Let’s build something great together!
If you are a Quarkus user or just curious, don’t be shy and join our welcoming community:
-
provide feedback on GitHub;
-
craft some code and push a PR;
-
discuss with us on Zulip and on the mailing list;
-
ask your questions on Stack Overflow.
