Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Red Hat Quarkus 2.13.8 Moderate Update For Security Issues

red hat
Calendar Grey June 29, 2023
Dist Redhat Esm H88
A new release addresses significant vulnerabilities in Red Hat's Quarkus 2.13.8, introducing essential patches and improvements.
An update is now available for Red Hat build of Quarkus

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fixes:
* CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray [quarkus-2]
* CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks [quarkus-2]
* CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption [quarkus-2]
* CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow [quarkus-2]
* CVE-2023-0482 RESTEasy: creation of insecure temp files [quarkus-2]
* CVE-2022-3782 keycloak: path traversal via double URL encoding [quarkus-2]
* CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files [quarkus-2]
* CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider [quarkus-2]
For more information about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE links listed in the References section.

Topics%20covered

Topics Covered

security advisory moderate security update red hat security impact stack consumption quarkus

References

https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0481 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-1584 https://access.redhat.com/security/cve/CVE-2023-2974 https://access.redhat.com/security/cve/CVE-2023-26053 https://access.redhat.com/security/cve/CVE-2023-28867 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/2.13 https://access.redhat.com/articles/4966181

Package List


Advisory ID: RHSA-2023:3809-01
Product: Red Hat build of Quarkus
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3809
Issue date: 2023-06-29

Topic

An update is now available for Red Hat build of Quarkus. Red Hat ProductSecurity has rated this update as having a security impact of Moderate. ACommon Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability. For moreinformation, see the CVE links in the References section.

Topics%20covered

Topics Covered

security advisory moderate security update red hat security impact stack consumption quarkus

Relevant Releases Architectures

Bugs Fixed

2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider

2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files

2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files

2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks

2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow

2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol

5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4

QUARKUS-2787 - Rest Data Panache: Correct Open API integration

QUARKUS-2846 - Ensure that new line chars don't break Panache projection

QUARKUS-2978 - ExceptionMapper is not working in DEV mode

QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected

QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled

QUARKUS-3161 - Fix security-csrf-prevention.adoc

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here