The English version of quarkus.io is the official project site. Translated sites are community supported on a best-effort basis.

Quarkus 3.2.10.Final released - Maintenance LTS release

Quarkus 3.2.10.Final, the tenth maintenance release of the 3.2 LTS release train has been released.

This release includes the following security-related fixes:

  • CVE-2023-5675 Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used

  • CVE-2023-6267 JSON payload getting processed prior to security checks when REST resources are used with annotations

  • CVE-2023-4043 org.eclipse.parsson/parsson: Denial of Service due to large number parsing

  • CVE-2023-48795 apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol

  • CVE-2023-22102 mysql-connector-java: Connector/J unspecified vulnerability

  • RESTEASY-3380 Source references exposed in RESTEasy error response

And the following component upgrades:

  • Apache commons-compress 1.24.0 → 1.25.0

  • Apache SSHD 2.10.0 → 2.12.0

  • Eclipse Parsson 1.1.2 → 1.1.6

  • Hibernate ORM 6.2.13.Final → 6.2.18.Final

  • Hibernate Reactive 2.0.6.Final → 2.0.8.Final

  • Jandex 3.1.2 → 3.1.6

  • MySQL JDBC driver version 8.0.30 → 8.2.0

  • RESTEasy 6.2.4.Final → 6.2.7.Final

  • SmallRye Reactive Messaging 4.6.0 → 4.6.1

If you are not already using a 3.2 release, please refer to our migration guide.

Known issues include:

It should be a safe upgrade for anyone already using a 3.2 release. However, some users may potentially run into the following couple of issues.

Using CDI interceptors to resolve multitenant OIDC configuration fails due to security fix in 3.2.10.Final

The security fix implemented in Red Hat build of Quarkus version 3.2.10.Final to address CVE-2023-6267 introduced a breaking change.

This breaking change is relevant only when using multiple OIDC providers with RestEasy Classic and occurs if you use Context and Dependency Injection (CDI) interceptors to programmatically resolve OIDC tenant configuration identifiers.

Before this fix, CDI interceptors ran before authentication checks. After introducing the fix, authentication occurs before CDI interceptors are triggered. Therefore, using CDI interceptors to resolve multiple OIDC provider configuration identifiers no longer works. RestEasy Reactive applications are not affected.

Workaround: Use the quarkus.oidc.TenantResolver method to resolve the current OIDC configuration tenant ID.

For more information, see the Resolving tenant identifiers with annotations section of the Quarkus “Using OpenID Connect (OIDC) multitenancy” guide.

Change of the MySQL JDBC driver Maven artifact groupId and artifactId

As a consequence of fixing CVE-2023-22102, the groupId and artifactId of the MySQL JDBC driver in the quarkus-bom has changed from

      <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.30</version>
      </dependency>

to

      <dependency>
        <groupId>com.mysql</groupId>
        <artifactId>mysql-connector-j</artifactId>
        <version>8.2.0</version>
      </dependency>

Projects consuming it as a dependency of io.quarkus:quarkus-jdbc-mysql will not be affected by this change. However, projects that had a direct dependency on mysql:mysql-connector-java relying on quarkus-bom to manage its version will have to update the groupId and artifactId to the new ones mentioned above.

Full changelog

Come Join Us

We value your feedback a lot so please report bugs, ask for improvements…​ Let’s build something great together!

If you are a Quarkus user or just curious, don’t be shy and join our welcoming community: