The English version of is the official project site. Translated sites are community supported on a best-effort basis.

Quarkus 3.2.12.Final released - Maintenance LTS release

Quarkus 3.2.12.Final, the eleventh maintenance release of the 3.2 LTS release train has been released.

This release includes the following security-related fixes:

  • CVE-2024-2700 io.quarkus/quarkus-core: Leak of local configuration properties into Quarkus applications

  • CVE-2024-29025 io.netty/netty-codec-http: Allocation of Resources Without Limits or Throttling

  • CVE-2023-51775 org.bitbucket.b_c/jose4j: Dos Attack Via specifically crafted JWE

And the following component upgrades:

  • Apache Mime4J 0.8.9 → 0.8.11

  • Jose4J 0.9.3 → 0.9.6

  • Netty 4.1.100.Final → 4.1.108.Final

  • Netty tcnative 2.0.61.Final → 2.0.65.Final

  • Vert.x 4.4.8 → 4.4.9

  • com.dajudge.kindcontainer:kindcontainer 1.3.0 → 1.4.5

If you are not already using a 3.2 release, please refer to our migration guide.

Known issues include:

It should be a safe upgrade for anyone already using a 3.2.11.Final release. However, the fix for CVE-2024-2700 introduces a change in how configuration options are recoded at build time and should be taken into account. More specifically, properties from configuration sources that are considered local (those that are available at build time but not runtime, such as environment variables, system properties, Maven and Gradle project properties) will not override the default values of runtime configuration properties. This is done to avoid leaking local environment values into production builds.

Full changelog

Come Join Us

We value your feedback a lot so please report bugs, ask for improvements…​ Let’s build something great together!

If you are a Quarkus user or just curious, don’t be shy and join our welcoming community: