-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Quarkus 2.13.8 release and security update
Advisory ID:       RHSA-2023:3809-01
Product:           Red Hat build of Quarkus
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3809
Issue date:        2023-06-29
CVE Names:         CVE-2022-45787 CVE-2023-0481 CVE-2023-0482 
                   CVE-2023-1436 CVE-2023-1584 CVE-2023-2974 
                   CVE-2023-26053 CVE-2023-28867 
====================================================================
1. Summary:

An update is now available for Red Hat build of Quarkus. Red Hat Product
Security has rated this update as having a security impact of Moderate. A
Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.

2. Description:

This release of Red Hat build of Quarkus 2.13.8 includes security updates,
bug
fixes, and enhancements. For more information, see the release notes page
listed in the References section.

Security Fixes:

* CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray [quarkus-2]

* CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is
subject to collision attacks [quarkus-2]

* CVE-2023-28867 graphql-java: crafted GraphQL query causes stack
consumption [quarkus-2]

* CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the
authorization code flow [quarkus-2]

* CVE-2023-0482 RESTEasy: creation of insecure temp files [quarkus-2]

* CVE-2022-3782 keycloak: path traversal via double URL encoding
[quarkus-2]

* CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on
temp files [quarkus-2]

* CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure
in MIME4J TempFileStorageProvider [quarkus-2]

For more information about the security issues, including the impact, a
CVSS
score, acknowledgments, and other related information, see the CVE links
listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks
2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol

5. JIRA issues fixed (https://issues.redhat.com/):

QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
QUARKUS-2787 - Rest Data Panache: Correct Open API integration
QUARKUS-2846 - Ensure that new line chars don't break Panache projection
QUARKUS-2978 - ExceptionMapper is not working in DEV mode
QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected
QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled
QUARKUS-3161 - Fix security-csrf-prevention.adoc
QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage
QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases
QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13
QUARKUS-3169 - New home for Narayana LRA coordinator Docker images
QUARKUS-3170 - Fix truststore REST Client config when password is not set
QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime
QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headersQUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them
QUARKUS-3177 - Fix copy paste error in qute docs
QUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode
QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
QUARKUS-3187 - Allow context propagation for OpenTelemetry
QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
QUARKUS-3194 - Exclude Netty's reflection configuration files
QUARKUS-3195 - Integrate the api dependency from Infinispan 14  (#ISPN-14268)
QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8.

6. References:

https://access.redhat.com/security/cve/CVE-2022-45787
https://access.redhat.com/security/cve/CVE-2023-0481
https://access.redhat.com/security/cve/CVE-2023-0482
https://access.redhat.com/security/cve/CVE-2023-1436
https://access.redhat.com/security/cve/CVE-2023-1584
https://access.redhat.com/security/cve/CVE-2023-2974
https://access.redhat.com/security/cve/CVE-2023-26053
https://access.redhat.com/security/cve/CVE-2023-28867
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/
https://access.redhat.com/articles/4966181

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJ2oPdzjgjWX9erEAQg7vA//XRjryfzKARIPLNbuzypdOTlJ4YXfwNgb
JZZLBVMxv7ckStVpyklHkg1IdmqgjGJki4dDKpS/dMRIcKibRHq5v92mJp/fYX4H
meoN9H06RvMarWPzVodY+lo2kS5p6xcgd1+tOQhqJYMvVuuY58tOFvbLhDYgcU4x
dDXwS3mLN4URrs0Jk4pop1z/E8An/xVJmCG2QRybpsmC9XxVi0jETDJ1278Gxe1q
iUOgvONd4XjA+rPI+5iEt2hA2VG2IjvzzERmZA9+n7MuxkYP+QTSIFR/CldhATNy
y/Vuy7ZzLVDd4DODqexWLv98GjKJnR48jwjA/KB0ZcSD9jum+C4el9514VxQlwf5
bIc1K8lspc97RKyiJaq/J0PYNXYjHZ0dd53U6eqntxKBJcvu468j1xKv68y3pLHg
0QFTbqtq55F9KTNhRqeMEuC0ly6EuwLl+0jDkpTIqPNjuzDDwLBaTjlm4aEYXSF6
9CMoNpQCwq5/6TeyH+9pScWKSWO0jblCiY4tJojJ0V5vPIs8U+2CJmb0iJzx3tKj
PUY4Wz3KCnFLwgU+laCznvW2IrmrFnSCm3cTm1Y36i9jfX1Y4NZhxonN8avn+ty3
eF5AtyFLgE5KmlkwkUy+F3HAZb9qzRzHHjRPw4xbkekEZp28t7xifOuKGOWfFYT2
WUbTnwA26jw=JLoW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3809:01 Moderate: Red Hat build of Quarkus 2.13.8 release

An update is now available for Red Hat build of Quarkus

Summary

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fixes:
* CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray [quarkus-2]
* CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks [quarkus-2]
* CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption [quarkus-2]
* CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow [quarkus-2]
* CVE-2023-0482 RESTEasy: creation of insecure temp files [quarkus-2]
* CVE-2022-3782 keycloak: path traversal via double URL encoding [quarkus-2]
* CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files [quarkus-2]
* CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider [quarkus-2]
For more information about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, see the CVE links listed in the References section.

Summary

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0481 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1436 https://access.redhat.com/security/cve/CVE-2023-1584 https://access.redhat.com/security/cve/CVE-2023-2974 https://access.redhat.com/security/cve/CVE-2023-26053 https://access.redhat.com/security/cve/CVE-2023-28867 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/ https://access.redhat.com/articles/4966181

Package List

Severity

Advisory ID: RHSA-2023:3809-01

Product: Red Hat build of Quarkus

Advisory URL: https://access.redhat.com/errata/RHSA-2023:3809

Issued Date: : 2023-06-29

CVE Names: CVE-2022-45787 CVE-2023-0481 CVE-2023-0482 CVE-2023-1436 CVE-2023-1584 CVE-2023-2974 CVE-2023-26053 CVE-2023-28867

Topic

An update is now available for Red Hat build of Quarkus. Red Hat ProductSecurity has rated this update as having a security impact of Moderate. ACommon Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability. For moreinformation, see the CVE links in the References section.

Topic

Relevant Releases Architectures

Bugs Fixed

2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider

2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files

2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files

2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks

2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow

2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption

2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray

2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol

5. JIRA issues fixed (https://issues.redhat.com/):

QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4

QUARKUS-2787 - Rest Data Panache: Correct Open API integration

QUARKUS-2846 - Ensure that new line chars don't break Panache projection

QUARKUS-2978 - ExceptionMapper is not working in DEV mode

QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected

QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled

QUARKUS-3161 - Fix security-csrf-prevention.adoc

QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage

QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases

QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13

QUARKUS-3169 - New home for Narayana LRA coordinator Docker images

QUARKUS-3170 - Fix truststore REST Client config when password is not set

QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime

QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headersQUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest

QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them

QUARKUS-3177 - Fix copy paste error in qute docs

QUARKUS-3178 - Pass `--userns=keep-id` to podman only when in rootless mode

QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request

QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies

QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support

QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream

QUARKUS-3187 - Allow context propagation for OpenTelemetry

QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest

QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman

QUARKUS-3194 - Exclude Netty's reflection configuration files

QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)