Quarkus 3.2.12.Final released - Maintenance LTS release
Quarkus 3.2.12.Final, the eleventh maintenance release of the 3.2 LTS release train has been released.
This release includes the following security-related fixes:
-
CVE-2024-2700 io.quarkus/quarkus-core: Leak of local configuration properties into Quarkus applications
-
CVE-2024-29025 io.netty/netty-codec-http: Allocation of Resources Without Limits or Throttling
-
CVE-2023-51775 org.bitbucket.b_c/jose4j: Dos Attack Via specifically crafted JWE
And the following component upgrades:
-
Apache Mime4J 0.8.9 → 0.8.11
-
Jose4J 0.9.3 → 0.9.6
-
Netty 4.1.100.Final → 4.1.108.Final
-
Netty tcnative 2.0.61.Final → 2.0.65.Final
-
Vert.x 4.4.8 → 4.4.9
-
com.dajudge.kindcontainer:kindcontainer 1.3.0 → 1.4.5
If you are not already using a 3.2 release, please refer to our migration guide.
Known issues include:
It should be a safe upgrade for anyone already using a 3.2.11.Final release. However, the fix for CVE-2024-2700 introduces a change in how configuration options are recoded at build time and should be taken into account. More specifically, properties from configuration sources that are considered local (those that are available at build time but not runtime, such as environment variables, system properties, Maven and Gradle project properties) will not override the default values of runtime configuration properties. This is done to avoid leaking local environment values into production builds.
Full changelog
You can get the full changelog of 3.2.12.Final on GitHub.
Come Join Us
We value your feedback a lot so please report bugs, ask for improvements… Let’s build something great together!
If you are a Quarkus user or just curious, don’t be shy and join our welcoming community:
-
provide feedback on GitHub;
-
craft some code and push a PR;
-
discuss with us on Zulip and on the mailing list;
-
ask your questions on Stack Overflow.