-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Quarkus 2.7.7 release and security update Advisory ID: RHSA-2023:1006-01 Product: Red Hat build of Quarkus Advisory URL: https://access.redhat.com/errata/RHSA-2023:1006 Issue date: 2023-03-08 CVE Names: CVE-2022-1471 CVE-2022-3171 CVE-2022-31197 CVE-2022-41946 CVE-2022-41966 CVE-2022-42003 CVE-2022-42004 CVE-2022-42889 CVE-2023-0044 ===================================================================== 1. Summary: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Security Fix(es): *CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2] *CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2] *CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7] *CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7] *CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7] *CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7] *CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2] *CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7] *CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2] 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2129428 - CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE 2137645 - CVE-2022-3171 protobuf-java: timeout in parser leads to DoS 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions 2158081 - CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure 2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow 5. JIRA issues fixed (https://issues.jboss.org/): QUARKUS-2593 - qpid extension, geronimo-jms_2.0_spec artifacts are not included in maven repo zip QUARKUS-2705 - Old graal-sdk and nativeimage svm comparing to builder image QUARKUS-2852 - JReleaser - Specific configuration for maintenance and preview QUARKUS-2854 - Fix memory leak in Agroal local connection cache for Netty's FastThreadLocalThread QUARKUS-2855 - Allow CORS same origin requests QUARKUS-2856 - Handle maintenance releases in release-cli.sh QUARKUS-2861 - Complete implementation of UriInfoImpl QUARKUS-2862 - Prevent duplicate HTTP headers when WriterInterceptor is used QUARKUS-2864 - Fix how certificates are obtained in the RestClient integration tests QUARKUS-2865 - Remove wrong LANG from dockerfile use parent default QUARKUS-2866 - Delay initialization of the DefaultChannelId class at runtime QUARKUS-2867 - Strip debug information from the native executable unconditionally QUARKUS-2869 - Use proper HttpHeaders FQCN QUARKUS-2871 - Properly ensure that transfer-encoding is not set when content-length exists QUARKUS-2872 - Properly initialize elements from the datasource configs QUARKUS-2873 - Attempt to fix podman DNS issue QUARKUS-2874 - Clear out OutputStream when a MessageBodyWriter throws an exception QUARKUS-2876 - Allow to override the Oracle JDBC metadata for native images also on Windows QUARKUS-2877 - Move excludes for jaeger-thrift to the bom QUARKUS-2879 - Fix some typos in Maven tooling doc QUARKUS-2880 - Ensure that File is properly handled in native mode in RESTEasy Reactive QUARKUS-2882 - Ensure that @WithConverter values work in native mode QUARKUS-2883 - Provide actionable error message when unable to bind to Unix domain socket QUARKUS-2884 - Fix the error for non-blocking multipart endpoints QUARKUS-2885 - List Reactive Oracle Client in Hibernate Reactive guide QUARKUS-2886 - Fix null query parameter handling in generated RestEasy Reactive clients QUARKUS-2887 - Podman on Windows needs one /, not two // prefix QUARKUS-2888 - Allow updating docs for older branches QUARKUS-2889 - [Guide] fix reactive-sql-clients startup method QUARKUS-2893 - Normalize uri template name to be a valid regex groupname QUARKUS-2895 - Support arrays in RESTEasy Reactive Resource methods 6. References: https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-3171 https://access.redhat.com/security/cve/CVE-2022-31197 https://access.redhat.com/security/cve/CVE-2022-41946 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-42889 https://access.redhat.com/security/cve/CVE-2023-0044 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/4966181 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZAkjydzjgjWX9erEAQjAvg//RwyYoQzWldCKwxRruyVYzW8TRSBdtc5u LU27GdLH7L+S7AcOEYnuypuBPswHBIP5Q9dbAhqyOOyuFv8EdorD5dHI22IZcMmp FFvAb+HJ5Eeanl2GEv3/rDPa6pm6e7yc95uqM4MW1a4jvGDqnOJLvhvrGa3TnoXw dEXGe9w66GghUoXb+ZUk65i7rMSfsDcXqtgxThYcXqsa/Aw7Qduny5dkGxsTy1Hv 9uT4Ru+hJA8lHxKFiB5Wpa8xs9kSaV0rlRatm7fxkOREI7oJN0L9UHLu6cgnY2sd YPrs3utt7WIDUhwZ9CCaPxUIdSXZUv3pvh1PHeeul0eqRbdJz32qDZth85suNHap tiLpu97q1TD8BVUMVFD5bh92cRfY5v3rnXfoNBS2rc7rWHiNuEwgsmli5qLGuCjv 39y16DTP4/8lDKYysSk5lMM4Nc88auRKy15g38TRWTPdqcHe1EtHBvKiL293u4g1 x7mfm+r/+ZaZ+fIEJjOIHHEHsTyR5wjrCJJLIN8/ZBA+paIFkBc1nhZ4GsgnRI56 mAK+Br2lCTWFOHPoaCfJlLbrc6Vath3mgAWgmS5E2ewyR9Unqk+0GBg9O37Tut5O +nnR12f3nqWAUyDIe2+9reJ7c5Fyd90Eb0L1Dr2iYflIEmA/peHDK/dM37RoIhyf SCyzvVeZWmA= =UMCw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce