Release Notes for Red Hat build of Quarkus 2.13

Guide

Red Hat build of Quarkus 2.13

Updated 26 January 2024
Published 15 December 2022

These release notes provide information about new features, notable technical changes, features in technology preview, bug fixes, known issues, and related advisories for Red Hat build of Quarkus 2.13. Information about upgrading and backward compatibility is also provided to help you transition from an earlier release.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

1. About Red Hat build of Quarkus

Red Hat build of Quarkus is a Kubernetes-native Java stack that is optimized for use with containers and Red Hat OpenShift Container Platform. Quarkus is designed to work with popular Java standards, frameworks, and libraries such as Eclipse MicroProfile, Eclipse Vert.x, Apache Camel, Apache Kafka, Hibernate ORM with Java Persistence API (JPA), and RESTEasy (JAX-RS).

As a developer, you can choose the Java frameworks you want for your Java applications, which you can run in Java Virtual Machine (JVM) mode or compile and run in native mode. Quarkus provides a container-first approach to building Java applications. The container-first approach facilitates the containerization and efficient execution of microservices and functions. For this reason, Quarkus applications have a smaller memory footprint and faster startup times.

Quarkus also optimizes the application development process with capabilities such as unified configuration, automatic provisioning of unconfigured services, live coding, and continuous testing that gives you instant feedback on your code changes.

For information about the differences between the Quarkus community version and Red Hat build of Quarkus, see Differences between the Quarkus community version and Red Hat build of Quarkus.

2. Differences between the Quarkus community version and Red Hat build of Quarkus

As an application developer, you can access two different versions of Quarkus: the Quarkus community version and the productized version, Red Hat build of Quarkus (RHBQ).

The following table describes the differences between the Quarkus community version and RHBQ.

Feature

Quarkus community version

Red Hat build of Quarkus version

Description

Access to the latest community features

Yes

No

With the Quarkus community version, you can access the latest feature developments.

Red Hat does not release RHBQ to correspond with every version that the community releases. The cadence of RHBQ feature releases is approximately every six months.

Enterprise support from Red Hat

No

Yes

Red Hat provides enterprise support for RHBQ only. To report issues about the Quarkus community version, see quarkusio/quarkus - Issues.

Access to long-term support

No

Yes

Each feature release of RHBQ is fully supported for approximately one year up until the next feature release. When a feature release is superseded by a new version, Red Hat continues to provide a further six months of maintenance support. For more information, see Support and compatibility.

Common Vulnerabilities and Exposures (CVE) fixes and bug fixes backported to earlier releases

No

Yes

With RHBQ, selected CVE fixes and bug fixes are regularly backported to supported streams. In the Quarkus community version, CVEs, and bug fixes are typically made available in the latest release only.

Tested and verified with Red Hat OpenShift Container Platform and Red Hat Enterprise Linux (RHEL)

No

Yes

RHBQ is built, tested, and verified with Red Hat OpenShift Container Platform and RHEL. Red Hat provides both production and development support for supported configurations and tested integrations according to your subscription agreement. For more information, see Red Hat build of Quarkus Supported Configurations.

Built from source using secure build systems

No

Yes

In RHBQ, the core platform and all supported extensions are provided by Red Hat using secure software delivery, which means that they are built from source, scanned for security issues, and with verified license usage.

Access to support for JDK and GraalVM Mandrel distribution

No

Yes

RHBQ supports certified OpenJDK builds and certified native executable builders. See admonition below. For more information, see Supported Configurations.

Red Hat build of Quarkus supports the building of native Linux executables by using a Red Hat build of Quarkus Native builder image, which is a productized distribution of Mandrel.

For more information, see Compiling your Quarkus applications to native executables. Building native executables by using Oracle GraalVM Community Edition (CE), Mandrel community edition, or any other distributions of GraalVM is not supported for Red Hat build of Quarkus.

3. New features, enhancements, and technical changes

This section provides an overview of the new features, enhancements, and technical changes introduced in Red Hat build of Quarkus 2.13.

3.1. Cloud

3.1.1. Introduced Kubernetes service binding support for Reactive SQL Clients

The Red Hat build of Quarkus 2.13 version introduced the Kubernetes service binding support for Reactive SQL clients.

The following extensions are added for service binding and are supported for workload projection:

quarkus-reactive-mssql-client
quarkus-reactive-mysql-client
quarkus-reactive-pg-client

For more information, see the Service Binding guide.

3.1.2. Microsoft JDBC Driver for SQL Server updated from 7.2.2.jre8 to 11.2.0.jre11

Red Hat build of Quarkus 2.13 updates the Microsoft JDBC Driver for SQL Server from mssql-jdbc-7.2.2.jre8.jar to mssql-jdbc-11.2.0.jre11.jar.

3.2. Core

3.2.1. Apache Kafka UI

Red Hat build of Quarkus 2.13 introduces a Kafka UI to the Dev UI.

If you configure a Quarkus application to use the quarkus-kafka-client extension and run it in development mode, the Kafka UI automatically connects to the Kafka instance.

With the Kafka UI, you can perform the following tasks:

Manage your Kafka cluster
List and create topics
Visualize records
Publish new records
Inspect consumer groups and their consumption lags

3.2.2. Changes to Java support

Increased support for Java 17

Red Hat build of Quarkus 2.13 increases support for Java 17 in the following ways:

Java 17 support for both native and JVM modes

Java 17 is now supported in Red Hat build of Quarkus 2.13 for both JVM and native modes. You can use Java 17 with Quarkus to build native executables for production. Before this update, building native executables by using Java 17 was supported as a Red Hat Technology Preview only.

Native executables are built by using Java 17

If you are building a native executable with Mandrel, Java 17 is used. Quarkus defaults to the Java 17 builder images when generating native executables regardless of whether your application was created with Java 11.

Red Hat continues to support Java 11 in Quarkus when used in JVM mode.

Quarkus code.quarkus.redhat.com defaults to Java 17

In Red Hat build of Quarkus 2.13, the code.quarkus.redhat.com project generator defaults to Java 17. To create a Quarkus project with Java 11, set the Java version in the CONFIGURE YOUR APPLICATION section of the quickstart configuration options.

For more information about supported Java and OpenJDK versions, log in to the Red Hat Customer Portal and see the Supported Configurations Knowledgebase solution.

Reduced support for Java 11 related to building a native executable

In Quarkus 2.13, Red Hat only provides support for building native executables based on the Java 17-based Mandrel 22.3 builder image. Even though other images are available in the community, they are not supported for use in production environments, so you should not use them for production builds for which you want Red Hat to provide support.

Applications whose source is written based on Java 11, with no Java 12 - 17 features used, can still compile a native executable of that application using the Java 17-based Mandrel 22.3 builder image. This means that the latest compatible and default Mandrel builder image, registry.access.redhat.com/quarkus/mandrel-22-rhel8:22.3, is capable of building any Java 17 or Java 11-based applications.

3.2.3. Eclipse Vert.x and Netty are upgraded

In Red Hat build of Quarkus 2.13, Eclipse Vert.x and Netty are upgraded to the following versions:

3.2.4. New plugin, `quarkus-extension-maven-plugin`, to replace `quarkus-bootstrap-maven-plugin`

In Red Hat build of Quarkus 2.13, the new plugin quarkus-extension-maven-plugin is introduced and replaces quarkus-bootstrap-maven-plugin, which is deprecated in Quarkus 2.13.

Update your Quarkus extension projects to use the new plugin by updating your project’s pom.xml files and changing the value of the artifactId property from quarkus-bootstrap-maven-plugin to quarkus-extension-maven-plugin.

3.2.5. RESTEasy Reactive JAXB context can now be customized

In Red Hat build of Quarkus 2.13, with the quarkus-resteasy-reactive-jaxb extension for RESTEasy Reactive, you can customize the Java Architecture for XML Binding (JAXB) context through JaxbContextCustomizer CDI beans.

For more information, see the Customize the JAXB configuration section in the Quarkus "Writing REST Services With RESTEasy Reactive" guide.

3.2.6. SmallRye Config secret keys support

When configuration properties contain passwords or other kinds of secrets, SmallRye Config can protect them to prevent accidental exposure of such values, for example, by outputting them into a log.

With this update, you can mark keys as secrets. Then, your application code can only read the value of the protected property after wrapping the read in a SecretKeys.doUnlocked call.

Red Hat build of Quarkus has plans to expand support for secrets in future releases, such as adding an encryption or hashing function to this feature.

3.2.7. Support for the Quiltflower decompiler

When you develop a Quarkus extension, Quarkus generates several classes, and in many cases, transforms existing classes during the build phase.

In Red Hat build of Quarkus 2.13, you can use the Quiltflower decompiler to debug and inspect the source code of these classes. This way, you can better understand the code and improve its quality, speed, and usability.

Before this update, the Fernflower decompiler was used. However, with the switch to Quiltflower, the Fernflower decompiler is deprecated in Quarkus 2.13.

To download and run the Quiltflower decompiler, update the application.properties file to set the quarkus.package.quiltflower.enabled property to true.

For more information about the Quiltflower decompiler, see the Quarkus Writing your own extension guide.

3.3. Data

3.3.1. Configure Hibernate Validator by registering `ValidatorFactoryCustomizer` beans

In Red Hat build of Quarkus 2.13, you can fully configure the ValidatorFactory by registering ValidatorFactoryCustomizer beans.

Before this update, you could only configure the ValidatorFactory by declaring replacement beans. As a result, some advanced configurations, such as overriding built-in constraint validators, were not possible.

For more information, see the Configuring the ValidatorFactory section of the Quarkus "Validation with Hibernate Validator" guide.

3.3.2. Dev Services for Elasticsearch

Red Hat build of Quarkus 2.13 introduces Dev Services for Elasticsearch, which means you no longer need to set up and configure a local Elasticsearch service while developing and testing your Quarkus applications.

If you are using Quarkus extensions that use Elasticsearch services, when you run your Quarkus application in development and test modes, Quarkus automatically provisions and starts an Elasticsearch container. Your application can instantly use the Elasticsearch services that are provided by Quarkus without you needing to set up and configure it first.

Furthermore, when using the Quarkus Hibernate Search extension with Elasticsearch Dev Services, the Elasticsearch schema is initialized on each new container instance and then re-initialized when the application restarts.

For more information about Dev Services for Elasticsearch, including configuration properties and limitations, see the following Quarkus community resources:

3.3.3. Dev Services for Infinispan

Red Hat build of Quarkus 2.13 includes further enhancements to Dev Services for Infinispan.

You can now configure caching on first access in the Infinispan client by setting attributes in the application.properties configuration file. The implementation of near caching in the Infinispan client has also been enhanced with the introduction of new configuration properties. For more information, see the Creating caches from the client section of the Quarkus "Infinispan Client" guide.

3.3.4. Generating a cache key by implementing the `CacheKeyGenerator` interface

Before this update, you could only access method arguments when generating the cache key.

With this update, you can access the name and arguments of the method annotated with @CacheResult or @CacheInvalidate. You can also inject external data into the generator implementation using Contexts and Dependency Injection (CDI).

You do this by implementing the io.quarkus.cache.CacheKeyGenerator interface and declaring that implementation in the keyGenerator field of a @CacheResult or @CacheInvalidate annotation.

Also, with this update, a Method object is automatically available in the generator implementation. This object provides information about, and access to, the method you annotated with the @CacheResult or @CacheInvalidate annotation. The primary reason for using the Method object is to retrieve the method name and use it as an element of the cache key.

Because most Method object methods are expensive, use them cautiously. However, its Method#getName method is both beneficial and inexpensive.

For more information, see the Generating a cache key with CacheKeyGenerator section of the Quarkus "Application Data Caching" guide.

3.3.5. Hibernate Search is easier to customize with the `@SearchExtension` annotation

Red Hat build of Quarkus 2.13 introduces the @SearchExtension annotation, which makes it easier for you to customize Hibernate Search.

Before this update, when you defined custom configurer beans for Hibernate Search by using annotations instead of configuration properties, you also had to reference the bean in the applications.properties file. With this update, you can define custom configurer beans in one step by just adding the @SearchExtension annotation. For example, to implement the analysis configurer bean for Hibernate Search, you had to complete the following steps:

You annotated the implementation for the AnalysisConfigurer:

@Dependent
@Named("myAnalysisConfigurer")
public class AnalysisConfigurer implements ElasticsearchAnalysisConfigurer {
    @Override
    public void configure(ElasticsearchAnalysisConfigurationContext context) {
        // ...
    }
}

You referenced your configurer bean from the application.properties file:

quarkus.hibernate-search-orm.elasticsearch.analysis.configurer=bean:myAnalysisConfigurer

With this update, using @SearchExtension, you no longer reference your custom bean in the application.properties file. You simply annotate the implementation:

@SearchExtension
public class AnalysisConfigurer implements ElasticsearchAnalysisConfigurer {
    @Override
    public void configure(ElasticsearchAnalysisConfigurationContext context) {
        // ...
    }
}

The syntax provided in the analysis bean example works for all of the following Hibernate Search bean reference configuration properties:

quarkus.hibernate-search-orm.background-failure-handler
quarkus.hibernate-search-orm.automatic-indexing.synchronization.strategy
quarkus.hibernate-search-orm.elasticsearch.layout.strategy
quarkus.hibernate-search-orm.elasticsearch.analysis.configurer

For more information, see the "Hibernate Search Guide" in the Quarkus community.

3.3.6. Quarkus Transaction API

Red Hat build of Quarkus 2.13 now supports the QuarkusTransaction API, which you can use to programmatically manage transactions in your applications. Instead of using the JTA UserTransaction API, you can now use the QuarkusTransaction API for more fine-grained control over your transactions and to ensure that transaction rollback is handled correctly on failure.

For more information about the QuarkusTransaction API, see Programmatic approach section in the "Using transactions in Quarkus" guide.

3.3.7. Spring Data REST extension released as a stable feature

Red Hat build of Quarkus 2.13 releases the Spring Data REST extension as a stable feature. Before this release, it was a preview feature.

With the Spring Data compatibility layer, you can use the Spring Data REST extension to simplify writing a REST layer for create, retrieve, update, and delete (CRUD) operations.

For more information, see the Quarkus Spring Data REST guide.

3.4. Logging

3.4.1. Changes to the way `quarkus.log.file.rotation.max-file-size` works

Before this update, when the quarkus.log.file.rotation.max-file-size parameter was not set:

If the quarkus.log.file.rotation.file-suffix parameter was set, Quarkus performed periodic log file rotation. However, due to LOGMGR-303, the file size limit was approximately 650 KB instead of the documented 10 MB.
If the quarkus.log.file.rotation.file-suffix parameter was not set, Quarkus did not perform file size log file rotation, and the file size grew continuously over time.

With this update, when the quarkus.log.file.rotation.max-file-size parameter is not set:

If the quarkus.log.file.rotation.file-suffix parameter is set, Quarkus performs periodic log file rotation, and the file size limit is 10 MB.
If the quarkus.log.file.rotation.file-suffix parameter is not set, Quarkus performs file size log file rotation, and the file size limit is 10 MB.

Table 1. Summary of changes to `quarkus.log.file.rotation.max-file-size` in 2.13
	`quarkus.log.file.rotation.max-file-size` set	`quarkus.log.file.rotation.max-file-size` not set (default)
`quarkus.log.file.rotation.file-suffix` set	No change: Periodic file size log rotation. Max file size is the set value.	Before this update: Periodic log file rotation. Due to LOGMGR-303, the file size limit was approximately 650 KB, not the documented 10 MB. With this update: Periodic log file rotation. File size limit is 10 MB.
`quarkus.log.file.rotation.file-suffix` not set (default)	No change: File size log rotation. Max file size is the set value.	Before this update: No file size log file rotation. The file size grew continuously over time. With this update: File size log file rotation. File size limit is 10 MB.

For more information, see the File logging section of the Quarkus "Configuring Logging" guide.

3.5. Messaging

3.5.1. SmallRye Reactive Messaging updated to version 3.16

In the Red Hat build of Quarkus 2.13, the SmallRye Reactive Messaging framework has been updated to version 3.16.

The following features are introduced:

Message processing that runs in its own context, which allows you to propagate data across the pipeline implicitly.
The initial version of the checkpointing API for Apache Kafka.
The ability to allow users to write custom failure and commit handlers for Apache Kafka.

3.5.2. Support for Qpid JMS extension

Quarkus supports adding the Qpid JMS extension as a part of the Quarkus applications and facilitates using the AMQP JMS client from Apache Qpid, including those using native executable builds.

Message brokers available for using JMS APIs with AMQP 1.0:

ActiveMQ Artemis
ActiveMQ 5
Microsoft Azure Service Bus
Qpid Broker-J
Qpid Dispatch router and more

To start using the extension:

Add the org.amqphub.quarkus:quarkus-qpid-jms module as a dependency in your project as follows:

<dependency>
    <groupId>org.amqphub.quarkus</groupId>
    <artifactId>quarkus-qpid-jms</artifactId>
</dependency>

Use the @Inject annotation to inject a ConnectionFactory Java Messaging Service (JMS) broker:
```
@Inject
ConnectionFactory connectionFactory;
```
Manage the connection factory configuration.

For a sample application usage of this extension, see the quarkus-qpid-jms-quickstart repository.

3.6. Security

3.6.1. OpenID Connect preconfigured providers

With this update, you can use the quarkus.oidc.provider configuration property to refer to well-known OpenID Connect and OAuth2 providers such as Apple, Facebook, GitHub, Google, Microsoft, Spotify, and Twitter.

When you use this property, you typically complete the configuration by setting the account-specific client id, client secret, and possibly some other properties.

This new capability makes using the OIDC Authorization Code Flow mechanism to protect Quarkus endpoints simpler and easier to implement.

For more information, see the Quarkus Configuring well-known OpenID Connect Providers guide.

3.6.2. Support for OIDC back-channel logout

Red Hat build of Quarkus 2.13 introduces support for a back-channel logout feature in the OpenID Connect (OIDC) extension.

With this update, OIDC providers that support this capability, like Keycloak, can do a global logout of users from all participating Quarkus applications.

To configure support for back-channel logout, go to the application.properties file and update the quarkus.oidc.logout.backchannel.path property.

For more information, see the following resources:

The Back-channel logout section of the “Quarkus OpenID Connect (OIDC) authorization code flow mechanism” guide
OpenID connect back-channel logout documentation

3.6.3. Support for Proof Key for Code Exchange (PKCE) in OIDC

This update adds support for Proof Key for Code Exchange (PKCE) to the Quarkus implementation of the OpenID Connect (OIDC) protocol.

PKCE minimizes the risk of authorization code interception for Quarkus web applications that use OIDC.

For more information, see the PKCE-related section of the Quarkus "OpenID Connect (OIDC) Authorization Code Flow Mechanism" guide.

3.7. Web

3.7.1. Added fine-grained control of HTTP compression for RESTEasy Reactive, Reactive Routes, and static resources

You can enable HTTP compression for specific media types by using the quarkus.http.compress-media-types configuration property, and for individual resource methods by using the io.quarkus.vertx.http.Compressed annotation. It is also possible to set the desired compression level.

For more information, see the HTTP Compression section of the Quarkus "Writing REST services with RESTEasy reactive" guide.

3.7.2. Additional HTTP Headers per path

With this update, you can configure your web application to return customized HTTP header values in response to requests received by specific resource paths.

For more information, see the Additional HTTP Headers per path section of the Quarkus "HTTP Reference" guide.

3.7.3. SmallRye GraphQL non-blocking support

In the Red Hat build of Quarkus 2.13, the SmallRye GraphQL API provides a reactive and non-blocking execution model and integrates with the Mutiny reactive programming model.

4. Support and compatibility

You can find detailed information about the supported configurations and artifacts that are compatible with Red Hat build of Quarkus 2.13 and the high-level support lifecycle policy on the Red Hat Customer Support portal as follows:

For a list of supported configurations, OpenJDK versions, and tested integrations, see Red Hat build of Quarkus Supported Configurations.
For a list of the supported Maven artifacts, extensions, and BOMs for Red Hat build of Quarkus, see Red Hat build of Quarkus Component Details.
For general availability, full support, and maintenance support dates for all Red Hat products, see Red Hat Application Services Product Update and Support Policy.

4.1. Product updates and support lifecycle policy

In Red Hat build of Quarkus, a feature release can be either a major or a minor release that introduces new features or support. Red Hat build of Quarkus release version numbers are directly aligned with Quarkus community project release versions. The version numbering of a Red Hat build of Quarkus feature release matches the community version that it is based on.

Red Hat does not release a productized version of Quarkus for every version the community releases. The cadence of the Red Hat build of Quarkus feature releases is about every six months.

Red Hat build of Quarkus provides full support for a feature release right up until the release of a subsequent version. When a feature release is superseded by a new version, Red Hat continues to provide a further six months of maintenance support for the release, as outlined in the following support lifecycle chart [Fig. 1].

Diagram that demonstrates the feature release cadence and support lifecycle of Red Hat build of Quarkus

Figure 1. Feature release cadence and support lifecycle of Red Hat build of Quarkus

During the full support phase and maintenance support phase of a release, Red Hat also provides 'service-pack (SP)' updates and 'micro' releases to fix bugs and Common Vulnerabilities and Exposures (CVE).

New features in subsequent feature releases of Red Hat build of Quarkus can introduce enhancements, innovations, and changes to dependencies in the underlying technologies or platforms. For a detailed summary of what is new or changed in a successive feature release, see New features, enhancements, and technical changes.

While most of the features of Red Hat build of Quarkus continue to work as expected after you upgrade to the latest release, there might be some specific scenarios where you need to change your existing applications or do some extra configuration to your environment or dependencies. Therefore, before upgrading Red Hat build of Quarkus to the latest release, always review the Changes that affect compatibility with earlier versions and Deprecated components and features sections of the release notes.

4.2. Tested and verified environments

Red Hat build of Quarkus 2.13 is available on the following versions of Red Hat OpenShift Container Platform and Red Hat Enterprise Linux 8, with the listed supported installation container images.

Please note the Tested and Supported columns for each CPU architecture. To get the support status of versions in the following table whose deployment environments are not tested, see Support of Red Hat Middleware products and components on Red Hat OpenShift Container Platform in the Red Hat Knowledgebase.

Table 2. Supported deployment environments for Red Hat build of Quarkus 2.13 on Red Hat OpenShift Container Platform and Red Hat Enterprise Linux
Platform	Architecture	Container Image / JVM	Tested	Supported
OpenShift Container Platform 4.10	AMD64 and Intel 64 (x86_64)	Red Hat OpenJDK 11 and Red Hat OpenJDK 17	Yes	Yes - See the Support article
OpenShift Container Platform 4.10	IBM Power (ppc64le) and IBM Z (s390x)	Red Hat OpenJDK 11	No	Yes - See the Support article
OpenShift Container Platform 4.12	IBM Power (ppc64le) and IBM Z (s390x)	Red Hat OpenJDK 11	Only IBM Power	Yes
OpenShift Container Platform 4.13	AMD64 and Intel 64 (x86_64)	Red Hat OpenJDK 11 and Red Hat OpenJDK 17	Yes	Yes
OpenShift Container Platform 4.13	IBM Power (ppc64le) and IBM Z (s390x)	Red Hat OpenJDK 11, Eclipse Temurin 11	Only IBM Z	Yes
Red Hat Enterprise Linux 8	AMD64 and Intel 64 (x86_64)	OpenJDK 11.x and OpenJDK 17.x, Eclipse Temurin 11.x and 17.x	Yes	Yes

Red Hat build of Quarkus 2.13 is supported on Red Hat OpenShift Dedicated running on AMD64 and Intel 64 (x86_64) architectures. Red Hat tests Quarkus only on the latest version of OpenShift Dedicated. The same "Container image/JVM" and "Supported" values apply for OpenShift Dedicated as for OpenShift Container Platform in the preceding table.
For a list of supported configurations, log in to the Red Hat Customer Portal and see the Knowledgebase solution Red Hat build of Quarkus Supported Configurations.

4.3. Development support

Red Hat provides development support for the following Red Hat build of Quarkus features, plugins, extensions, and dependencies:

Features

Continuous Testing
Dev Services
Dev UI
Local development mode
Remote development mode

Plugins

Maven Protocol Buffers Plugin

4.3.1. Development tools

Red Hat provides development support for using Quarkus development tools, including the Quarkus CLI and the Maven and Gradle plugins, to prototype, develop, test, and deploy Red Hat build of Quarkus applications.

Red Hat does not support using Quarkus development tools in production environments. For more information, see the Red Hat Knowledgebase article Development Support Scope of Coverage.

5. Deprecated components and features

The components and features listed in this section are deprecated with Red Hat build of Quarkus 2.13. They are included and supported in this release. However, no enhancements will be made to these components and features, and they might be removed in the future.

For a list of the components and features that are deprecated in this release, log in to the Red Hat Customer Portal and view the Red Hat build of Quarkus Component Details page.

5.1. Deprecation of `quarkus-bootstrap-maven-plugin`

The plugin, quarkus-bootstrap-maven-plugin, is deprecated in Red Hat build of Quarkus 2.13 in favor of quarkus-extension-maven-plugin, which is introduced in Quarkus 2.13.

5.2. Deprecation of `quarkus-reactive-routes` extension

The quarkus-reactive-routes extension is deprecated in Red Hat build of Quarkus 2.13 in favor of the Reactive Routes extension from Eclipse Vert.x. Red Hat continues to support the quarkus-reactive-routes extension in Quarkus 2.13; however, users are encouraged to use RESTEasy Reactive or the Vert.x router directly.

For more information, see the following resources:

Quarkus Writing REST services with RESTEasy Reactive guide
The Using the Vert.x web router section of the Quarkus "Using Reactive routes" guide

5.3. Deprecation of `quarkus-resteasy-mutiny` extension

The quarkus-resteasy-mutiny extension is deprecated in Red Hat build of Quarkus 2.13. You can start using the quarkus-resteasy-reactive extension instead.

5.4. Deprecation of SmallRye Metrics

Quarkus adopted Micrometer to resolve SmallRye Metrics issues during advanced use cases and offer a less intrusive way to monitor Quarkus applications.

5.5. Deprecation of SmallRye OpenTracing

SmallRye OpenTracing is now considered deprecated, and it is anticipated that this technology will be removed in a future version of Quarkus. The recommended technology for tracing and telemetry in your Quarkus applications is now OpenTelemetry.

6. Technology Previews

This section lists features and extensions that are now available as a Technology Preview in Red Hat build of Quarkus 2.13.

Technology Preview features are not supported with Red Hat production service level agreements (SLAs), might not be functionally complete, and Red Hat recommends that you do not use them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about Red Hat Technology Preview features, see Technology Preview Features Scope.

6.1. Support for Hibernate Reactive

In Red Hat build of Quarkus 2.13, Hibernate Reactive continues to be provided as a Technology Preview feature.

Hibernate Reactive is a reactive API for Hibernate Object Relational Mapper (ORM). Hibernate Reactive supports non-blocking database drivers, which means your applications can interact with relational databases in a reactive way.

For a list of all extensions and dependencies that are available as a Technology Preview in Red Hat build of Quarkus, log in to the Red Hat Customer Portal and see the Knowledgebase solution Red Hat build of Quarkus Component Details.

7. Changes that affect compatibility with earlier versions

This section describes changes in Red Hat build of Quarkus 2.13 that affect the compatibility of applications built with earlier product versions.

Review the breaking changes introduced in this release, and take the necessary actions to ensure that when you upgrade your existing applications to Red Hat build of Quarkus 2.13, they continue to function after the upgrade.

7.1. AssertJ is no longer included in the Red Hat build of Quarkus BOM

To prevent compatibility issues with the AssertJ binary, from version 2.13, the AssertJ library has been removed from the Red Hat build of Quarkus BOM artifact. In previous releases, if you ran tests compiled with an older version of AssertJ, this caused problems with the version included in the Quarkus BOM.

To use the AssertJ library in your application, define the version of AssertJ in your POM manually as outlined in the following example:

<dependency>
    <groupId>org.assertj</groupId>
    <artifactId>assertj-core</artifactId>
    <version>3.22.0</version>
</dependency>

7.2. Database Dev Services use the same database name, username, and password

This update makes the database name and login credentials the same for most databases.

The PostgreSQL, MariaDB, MySQL, IBM Db2, and H2 databases use the following values:

Database name: quarkus
Username: quarkus for the default data source or name of the data source
Password: quarkus

Because the Dev Service for Microsoft SQL Server does not support these changes, it uses the following values:

Database name: none
Username: SA
Password: Quarkus123

You can override these values for Dev Services that support it by using the following configuration parameters or environment variables.

Configuration parameter

Environment variable

Database name

quarkus.datasource.devservices.db-name

QUARKUS_DATASOURCE_DEVSERVICES_DB_NAME

Username

quarkus.datasource.devservices.username

QUARKUS_DATASOURCE_DEVSERVICES_USERNAME

Password

quarkus.datasource.devservices.password

QUARKUS_DATASOURCE_DEVSERVICES_PASSWORD

For more information, see the Connect To Database Run as a Dev Service section of the "Dev Services for Databases" guide.

7.3. H2 database upgraded to version 2.1

In Red Hat build of Quarkus 2.13, the in-memory H2 database is upgraded from version 1.4 to 2.1.

With this version upgrade, H2 adds new reserved keywords, such as user, value, and timestamp. If you already use these keywords in your existing column names, you must adjust your database model, for example, by changing the column name to user_, timestamp_, or value_.

Alternatively, you might need to switch to a container approach for testing and use the same database you use in production instead of an H2 database.

For more information about H2, refer to H2 database documentation.

7.4. Hibernate ORM MariaDB dialect updated to 10.6

With this update, by default, Hibernate ORM uses the MariaDB image for dialect 10.6.

If you are using MariaDB dialect 10.3, 10.4, or 10.5, override the default by setting the quarkus.hibernate-orm.dialect property in the application.properties file to quarkus.hibernate-orm.dialect=org.hibernate.dialect.MariaDB103Dialect.

For more information, see the Dialect related configuration section of the Quarkus "Using Hibernate ORM and Java Persistence API (JPA)" guide. Also, see the Package org.hibernate.dialect package summary of the "Hibernate ORM aggregated JavaDocs" documentation.

7.5. Hibernate Search `quarkus.hibernate-search-orm.*` configuration property changes

This update changes the behavior of the quarkus.hibernate-search-orm.enabled configuration property. Before this update, it enabled Hibernate Search at run time. With this update, it enables Hibernate Search at build time.

This update also adds the quarkus.hibernate-search-orm.active configuration property, which enables Hibernate Search at run time.

Review configuration files containing the quarkus.hibernate-search-orm.enabled property, such as ./src/main/resources/application.properties, and update them to reflect these changes.

Similarly, this update changes the behavior of the QUARKUS_HIBERNATE_SEARCH_ORM_ENABLED environment variable and adds the QUARKUS_HIBERNATE_SEARCH_ORM_ACTIVE environment variable. If needed, update any references to the QUARKUS_HIBERNATE_SEARCH_ORM_ENABLED environment variable to reflect these changes.

For more information, see the Main Configuration section of the Quarkus "Hibernate Search" guide.

7.6. HTTP compression settings are now fixed at build time

In Red Hat build of Quarkus 2.13, the behavior of HTTP compression settings is changed. With this update, HTTP compression settings are delivered at build time as configuration settings, and it is no longer possible to overwrite these settings at runtime. Specifying HTTP compression settings at build time means you can further optimize your application configuration according to your requirements.

Not all HTTP responses are compressed by default. You can enable HTTP compression support by setting the quarkus.http.enable-compression configuration property to true. If the client does not support HTTP compression, the response body is not compressed.

For more information about the HTTP compression updates, see the New features, enhancements, and technical changes section and the following HTTP update, HTTP responses are compressed based on configuration property settings and media type.

Additional resources

Quarkus HTTP reference guide
Quarkus Writing REST services with RESTEasy reactive guide
Quarkus Using reactive routes guide

7.7. Red Hat build of Quarkus does not compress all HTTP responses when `quarkus.http.enable-compression=true`

For RESTEasy Reactive, Reactive Routes, and static resources, an HTTP response is only compressed if the Content-Type header is set and the value is a compressed media type, as configured by using the quarkus.http.compress-media-types property.

By default, the following media types are compressed:

text/html
text/plain
text/xml
text/css
text/javascript
application/javascript

7.8. `@InjectMock` annotation might require additional qualifiers

In Red Hat build of Quarkus 2.13, the @InjectMock annotation, which is available in the quarkus-junit5-mockito extension, uses a javax.enterprise.inject.spi.BeanManager#getBeans() method internally to get the set of beans that is eligible for an @InjectMock injection point.

Before this update, due to an issue with the BeanManager#getBeans() method, if you did not specify a qualifier, any bean that matched the required type was eligible for injection. As a result, a test that injected a mock of a bean with a qualifier other than @Default and did not specify this qualifier succeeded.

With this update, you must specify a qualifier if a bean for which the mock is injected declares a qualifier other than @Default. As a result, a test fails if it injects a mock of a bean with a qualifier other than @Default but does not specify the value of this qualifier.

7.9. `quarkus.datasource.devservices` has been replaced with `quarkus.datasource.devservices.enabled`

The quarkus.datasource.devservices configuration property, which was deprecated in Red Hat build of Quarkus 2.7, is now removed.

To disable Dev Services for relational databases, use the quarkus.datasource.devservices.enabled property instead.

For more information, see the Enabling / Disabling Dev Services for Database section of the Quarkus "Dev Services for Databases" guide.

7.10. `quarkus.http.allow-forwarded` and `quarkus.http.proxy-address-forwarding` have been replaced with `quarkus.http.proxy.allow-forwarded` and `quarkus.http.proxy.proxy-address-forwarding`

The deprecated quarkus.http.allow-forwarded and quarkus.http.proxy-address-forwarding configuration properties have been removed.

To run Quarkus behind a reverse proxy, use the quarkus.http.proxy.allow-forwarded and quarkus.http.proxy.proxy-address-forwarding properties instead.

The quarkus.http.proxy configuration properties provide significantly more features than the proxy-related properties that have been removed.

For more information, see the Running behind a reverse proxy section of the Quarkus "HTTP Reference" guide.

7.10.1. `quarkus.http.root-path` prepended to `@TestHTTPResource`

This update prepends the value of the quarkus.http.root-path configuration property to the URI value of the @TestHTTPResource annotation.

When you use the @TestHTTPResource annotation to inject a URI into a test, the value of the quarkus.http.root-path configuration property precedes the URI.

For example, in a Hello World application, if you define @ApplicationPath("/hello") and @TestHTTPResource("index.html"); and set quarkus.http.root-path=/root; when you run the application in dev mode, it has the following URL: http://localhost:8080/root/hello.

For more information, see:

The Injecting a URI section in the "Testing Your Application" guide.
The Configuring the Context path section of the "HTTP Reference" guide.

7.11. Red Hat does not offer a Java 11-based image for Mandrel 22.3

With this update, Red Hat does not offer a Java 11-based Red Hat build of Quarkus Native builder image for Mandrel 22.3.

To compile applications into native executables, replace earlier Java 11-based images with a Java 17-based Red Hat build of Quarkus Native builder image.

The Java 17-based Red Hat build of Quarkus Native builder image is compatible with most Java 11 applications and works for most production native executable builds. However, in rare cases, it might cause build failures. One such case is when the native executable build is part of an incremental or multi-stage build process.

Red Hat does not offer technical support for the Quarkus community Java 11-based Mandrel 22.3 base image.

7.12. Request Context-related changes in SmallRye Reactive Messaging

Before this update, consuming methods of Reactive Messaging were called with an active CDI request context, which was inadvertently propagated, and was never terminated.

With this update, Quarkus corrects this behavior and ensures the request context is not activated unnecessarily on message-consuming methods. Code relying on the presence of the RequestScoped beans might need to start a request scope explicitly; for example, using @ActivateRequestContext annotation on the message-consuming method.

When the method is not already called on an existing request context, using the @ActivateRequestContext annotation on a method creates a request context.
When a new request context is created for the annotated method, it is destroyed at the end of the method execution. This is similar to the completion of the returned Uni or CompletionStage. This effectively disposes of request-scoped beans bound to the request content.

7.13. Removal of the `quarkus-undertow-websockets` extension

In Red Hat build of Quarkus 2.13, the community version of the io.quarkus:quarkus-undertow-websockets extension has been removed. Red Hat provides bug fixes and support only through the end of the Red Hat build of Quarkus 2.7 lifecycle. As an alternative to the io.quarkus:quarkus-undertow-websockets extension, you can use the WebSockets Client (io.quarkus:quarkus-websockets-client) and WebSockets Server (io.quarkus:quarkus-websockets) extensions, which are based on the WebSockets protocol implementation in Eclipse Vert.x.

For more information, see the Creating the Maven project section of the Quarkus "Using WebSockets" guide.

7.14. REST layer changes related to creating new projects

The following REST layer behavior was changed in Red Hat build of Quarkus 2.13:

A REST layer is no longer forced on you when creating applications.
The RESTEasy Reactive extension is not automatically added when creating new projects.
When you create an application without extensions and with the Code examples option enabled, Quarkus now adds RESTEasy Reactive automatically to demonstrate a REST Quarkus application.

7.15. RESTEasy Reactive is the new default REST layer

When you create new applications by using Red Hat build of Quarkus, the quarkus-resteasy-reactive property is now selected by default instead of quarkus-resteasy.

RESTEasy Reactive supports both traditional blocking workloads and reactive workloads. Depending on the return types of your endpoint’s methods, RESTEasy Reactive chooses the paradigm that fits.

Example:

Returning MyEntity will make the endpoint blocking.
Returning Uni<MyEntity> will make the endpoint reactive.

For more information, see the Quarkus Writing REST Services with RESTEasy Reactive guide.

7.16. SmallRye GraphQL API endpoints now act as a @Singleton bean by default

Before this update, the default scope attached to a @GraphQLApi endpoint was @Dependent. With this update, to be aligned with REST endpoints, @GraphQLApi acts as a @Singleton bean, unless you explicitly add a scope annotation to your endpoint.

7.17. SmallRye Stork extension configuration properties moved to the Quarkus namespace

In Red Hat build of Quarkus 2.13, you must now configure properties for the SmallRye Stork extension in the quarkus. namespace.

Before this update, you configured the SmallRye Stork extension by using properties with the stork.my-service prefix. With this update, you must prefix these properties with quarkus, for example, quarkus.stork.my-service.

The following example shows a sample configuration of the SmallRye Stork extension by using some of the available SmallRye Stork configuration properties:

quarkus.stork.my-service.service-discovery.type=consul
quarkus.stork.my-service.service-discovery.consul-host=localhost
quarkus.stork.my-service.service-discovery.consul-port=8500
quarkus.stork.my-service.load-balancer.type=least-response-time
quarkus.stork.my-service.load-balancer.use-secure-random=true

For more information about SmallRye Stork and its configuration properties, see All configuration options in the Quarkus community or SmallRye Stork documentation.

7.18. Some OpenTracing libraries code moved to SmallRye OpenTracing

Relevant OpenTracing libraries code for the deprecated OpenTracing feature was migrated to the SmallRye OpenTracing repository because the code is no longer maintained by the OpenTracing community. The Java package of this code was changed, but the code remains the same.

However, the migrated code consists of private APIs and unless you are using some of these APIs, this change does not affect your applications. To avoid a breaking change, use an implemented API built on top of OpenTracing libraries.

This change affects only the applications that use non-public APIs from the opentracing-contrib library. Users who use APIs with the org.eclipse.microprofile.opentracing.Traced annotation are not affected.

It is anticipated that OpenTracing technology will be replaced by OpenTelemetry in a future version of Quarkus. The recommended technology for tracing and telemetry in your Quarkus applications is now OpenTelemetry.

7.19. Support for path-specific authentication for OIDC web-app applications added

Red Hat build of Quarkus 2.13 introduces path-based authentication for OpenID Connect (OIDC) web-app applications.

With this update, if your Quarkus application combines multiple authentication mechanisms, including the OIDC authorization code mechanism, you must specify the quarkus.http.auth.permission.<policy-name>.auth-mechanism=code property in the application.property file instead of quarkus.http.auth.permission.<policy-name>.auth-mechanism=bearer.

Before this update, such a combination of JWT bearer token and OIDC authorization code flow mechanisms was not possible.

For example, if you use the quarkus-smallrye-jwt extension to provide a JWT bearer-token authentication mechanism to authenticate requests to the /management endpoint and an OIDC authorization code flow mechanism to authenticate requests to the /web-app endpoint, set the following properties:

quarkus.http.auth.permission.webapp.paths=/web-app
quarkus.http.auth.permission.webapp.policy=authenticated
quarkus.http.auth.permission.webapp.auth-mechanism=code
quarkus.http.auth.permission.management.paths=/management
quarkus.http.auth.permission.management.policy=authenticated
quarkus.http.auth.permission.management.auth-mechanism=bearer

7.20. The `OpenTelemetryClientFilter` telemetry is not forced to be enabled for the REST Client

Before this update, a user needed to enable OpenTelemetry Tracing to create Spans for the javax.ws.rs.client.ClientBuilder.newClient() client when creating the programmatic javax.ws.rs.client.Client filter with that client.

Red Hat build of Quarkus 2.13 introduces a solution in which the user does not have to explicitly register OpenTelemetryClientFilter when creating a programmatic or injected REST client. The underlying Vert.x client used by the REST Client Reactive now adds the OpenTelemetry instrumentation and simplifies the client’s creation.

8. Bug fixes

Quarkus 2.13 provides increased stability and includes fixes to bugs that have a significant impact on users.

To get the latest fixes for Red Hat build of Quarkus, ensure you are using the latest available version, which is 2.13.9.SP1.

8.1. Security fixes

The following CVEs have been resolved in Red Hat build of Quarkus 2.13:

Red Hat build of Quarkus 2.13.9.SP1

CVE-2023-5675 io.quarkus.resteasy.reactive/resteasy-reactive: quarkus: Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used
CVE-2023-6267 io.quarkus/quarkus-resteasy: quarkus: JSON payload getting processed prior to security checks when REST resources are used with annotations

Red Hat build of Quarkus 2.13.9

CVE-2023-6393 Vulnerability in Quarkus cache runtime: Context switching issue in @CacheResult usage
CVE-2023-39410 Apache Avro Java SDK: Memory when deserializing untrusted data in the Avro Java SDK
CVE-2023-35887 Apache Mina SSHD: Information exposure in SFTP server implementations
CVE-2023-43642 Snappy Java: Resolved a potential Denial of Service (DoS) vulnerability by implementing an upper bound check on chunk length
CVE-2023-31582 Jose4j: Enhanced the iteration count setting, strengthening security measures and mitigating associated risks
CVE-2023-34453 Snappy Java: Integer overflow in shuffle leads to DoS
CVE-2023-34454 Snappy Java: Integer overflow in compress leads to DoS
CVE-2023-34455 Snappy Java: Unchecked chunk length leads to DoS
CVE-2023-2976 Guava: Insecure temporary directory creation
CVE-2023-34462 Netty: SniHandler 16MB allocation leads to OOM

Red Hat build of Quarkus 2.13.8.SP3

CVE-2023-44487 HTTP/2: Multiple HTTP/2-enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

Red Hat build of Quarkus 2.13.8.SP2

CVE-2023-4853 Quarkus Security Policy Bypass

Red Hat build of Quarkus 2.13.8

CVE-2023-26053 gradle: Usage of long IDs for PGP keys is unsafe and is subject to collision attacks

CVE-2022-3782 keycloak: Path traversal via double URL encoding
CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: Insecure permissions on temp files
CVE-2023-0482 RESTEasy: Creation of insecure temp files
CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
CVE-2023-28867 graphql-java: Crafted GraphQL query causes stack consumption
CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
CVE-2022-3171 protobuf-java: Timeout in parser leads to DoS
CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names

CVE-2022-37734 graphql-java: DoS by malicious query
CVE-2022-42003 jackson-databind: Deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
CVE-2022-42004 jackson-databind: Use of deeply nested arrays
CVE-2022-42889 commons-text, apache-commons-text: Variable interpolation RCE
CVE-2022-41946 jdbc-postgresql, postgresql-jdbc: PreparedStatement.setText(int, InputStream) Creates a temporary file if the InputStream is larger than 2k
CVE-2023-0044 quarkus-vertx-http: A cross-site attack may be initiated, which might lead to the Information Disclosure
CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
CVE-2022-45047 sshd-common, mina-sshd: Java unsafe deserialization vulnerability

8.2. Other enhancements and bug fixes

Red Hat build of Quarkus 2.13.8

QUARKUS-2214 Ban org.javassist:javassist
QUARKUS-2221 Platform generator should auto-add constraints that are required by one participant and managed by another
QUARKUS-2230 Introduce OpenShift-based CI runs in upstream
QUARKUS-2238 Crash in Chrome tab on code.quarkus.io and code.quarkus.redhat.com
QUARKUS-2246 Integrate Vertx HTTP extension with custom CredentialsProvider
QUARKUS-2284 OpenShift Serverless is requesting that we support it when using OpenShift Serverless Functions
QUARKUS-2328 Promote Qute Templating from TP to full support
QUARKUS-2329 Promote RESTEasy Reactive Qute from TP to full support
QUARKUS-2330 Promote RESTEasy Qute from TP to full support
QUARKUS-2331 Promote the Kubernetes Config extension from TP to full support
QUARKUS-2332 Drop TP support for the Reactive DB2 client
QUARKUS-2335 Applications consuming more CPU resources with Quarkus native builds
QUARKUS-2349 Fully support Java 17 and drop Java 11 for Native application
QUARKUS-2367 Move Funqy extension(s) needed by OpenShift Serverless to Supported status
QUARKUS-2387 Promote Mailer extension from TP to full support
QUARKUS-2388 Promote Spring Data REST from TP to full support
QUARKUS-2389 Promote OpenID Connect Client Filter Reactive from TP to full support
QUARKUS-2390 Promote quarkus-hibernate-orm-rest-data-panache extension from TP to full support
QUARKUS-2392 Drop Tech Preview support for RESTEasy Mutiny
QUARKUS-2393 Drop Tech Preview for Mutiny support for REST Client extension
QUARKUS-2394 Drop TP for OpenTelemetry Jaeger exporter
QUARKUS-2395 Drop TP from Security JPA extension
QUARKUS-2396 Drop TP for Eclipse Vert.x GraphQL
QUARKUS-2453 Deprecate quarkus-reactive-routes extension
QUARKUS-2473 Repositories declared in quarkus-platform-config-2.13.0.CR1-redhat-00001.pom
QUARKUS-2478 Update Microsoft SQL JDBC driver to 11.2.0.jre11
QUARKUS-2479 SmallRye Config SecretKeys support
QUARKUS-2480 Introduce @SearchExtension to configure Hibernate Search through annotated beans
QUARKUS-2481 Allow to provide custom configuration for JAXB context
QUARKUS-2482 Deprecate quarkus-bootstrap-maven-plugin in favor of quarkus-extension-maven-plugin
QUARKUS-2483 Kubernetes service binding support for Reactive SQL clients
QUARKUS-2484 SmallRye Reactive Messaging 3.16
QUARKUS-2485 SmallRye GraphQL non-blocking support
QUARKUS-2486 Keycloak bumped to 18
QUARKUS-2487 Compression support for Reactive Routes and RESTEasy Reactive
QUARKUS-2489 OIDC Back channel logout
QUARKUS-2490 Add HTTP headers for specific paths
QUARKUS-2491 OIDC - Support for Proof Of Key for Code Exchange (PKCE)
QUARKUS-2492 QuarkusTransaction API
QUARKUS-2538 List products that Quarkus depends on as part of the productization process
QUARKUS-2558 Day -9: [Eng] Check if EARF and ProdSec need to be updated
QUARKUS-2592 NPE in OIDC BackChannelLogoutHandler
QUARKUS-2672 Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
QUARKUS-2693 Keycloak container can not start in devmode
QUARKUS-2706 Quarkus CLI failes to resolve extension catalog for io.quarkus:quarkus-bom
QUARKUS-2758 Upgrade flapdoodle to 3.5.2 and add it to Dependabot
QUARKUS-2759 Ensure an appropriate generic type is used with RestResponse
QUARKUS-2760 Add HTTPS port configuration in the HTTP reference guide
QUARKUS-2761 Rename method names in virtual threads doc
QUARKUS-2762 Create directories when syncing doc branches for the website
QUARKUS-2763 Fix broken markup for a list in the security guide
QUARKUS-2764 Upgrade narayana to 5.13.1.Final
QUARKUS-2765 Set higher timeout for Misc 4 native job
QUARKUS-2766 Quartz - add a backward compatibility note
QUARKUS-2767 Compile application classes before test classes
QUARKUS-2768 Fixed code in stork-reference.adoc
QUARKUS-2769 Fix compilation error in virtual threads doc
QUARKUS-2770 Update latest brew openjdk package
QUARKUS-2771 Bump com.gradle.plugin-publish from 1.0.0 to 1.1.0 in /devtools/gradle
QUARKUS-2772 Fixed error in Stork guide
QUARKUS-2773 Fix IsDockerWorking class not using TestContainersStrategy
QUARKUS-2774 Use Mandrel by default for container build
QUARKUS-2775 Doc: Fix statement about CA certs embedding
QUARKUS-2776 Correct typos and code style on the Virtual Threads guide
QUARKUS-2777 Generate a temporary uber-jar in case the target already exists instead of deleting it right away
QUARKUS-2778 Demote the "test dir mapping" log message to debug
QUARKUS-2779 Fix table entries in documentation
QUARKUS-2780 Register all implementation of ExtensionAdapter in Kubernetes client extension
QUARKUS-2781 Replace deprecated properties in JReleaser descriptor
QUARKUS-2782 Fix compilation error in virtual threads doc
QUARKUS-2783 Ensure that aroundInvoke interceptors get the correct method parameters
QUARKUS-2784 Document that Mandrel 22.3 does not provide a -java11 image anymore
QUARKUS-2785 When propagating the duplicated context, drop the request scope
QUARKUS-2786 Propagate the javax.annotation.security annotations in REST Data
QUARKUS-2787 Rest Data Panache: Correct Open API integration
QUARKUS-2788 Support setting the RolesAllowed in the Panache REST Data extension
QUARKUS-2789 Properly allow mixing @QuarkusTest and @QuarkusMainTest
QUARKUS-2790 Switch native GC policy from space/time to adaptive (default)
QUARKUS-2829 Internal support for Micrometer metrics when using managed Vert.x in Quarkus
QUARKUS-2835 Disable DuplicatedContextTest#testThatBlockingEventConsumersAreCalledOnDuplicatedContext on Windows
QUARKUS-2836 Reduce Config startup footprint
QUARKUS-2837 Backport Vert.x Metrics support
QUARKUS-2838 OpenTelemetry - Fix missing char
QUARKUS-2839 Propagate security annotations in the Spring Data Rest for all methods
QUARKUS-2840 Ensure that TestMojo resolves test-scoped dependencies
QUARKUS-2841 MultiPartConfig in HTTP Vert.x extension is insufficiently documented
QUARKUS-2842 CompletableFuture smart dispatch support
QUARKUS-2843 Change quarkus-cache extension status to stable
QUARKUS-2844 Switch from system property to hard-coded line separator for Panache query
QUARKUS-2845 Fix some typos in the building native image documentation
QUARKUS-2846 Ensure that new line chars don’t break Panache projection
QUARKUS-2847 Always store the raw model in the cache while loading a workspace
QUARKUS-2925 Different versions in code.quarkus and maven repository
QUARKUS-2978 ExceptionMapper<WebApplicationException> is not working in DEV mode
QUARKUS-3158 Do not create session and PKCE encryption keys if only bearer tokens are expected
QUARKUS-3159 2.13: Do not support any Origin by default if CORS is enabled
QUARKUS-3161 Fix security-csrf-prevention.adoc
QUARKUS-3163 Update codestarts to use openjdk container images 1.15
QUARKUS-3164 Logging with Panache: fix LocalVariablesSorter usage
QUARKUS-3167 Make SDKMAN releases minor for maintenance and preview releases
QUARKUS-3168 Backport Ensure that ConfigBuilder classes work in native mode to 2.13
QUARKUS-3169 New home for Narayana LRA coordinator Docker images
QUARKUS-3170 Fix truststore REST Client config when password is not set
QUARKUS-3173 Reinitialize sun.security.pkcs11.P11Util at runtime
QUARKUS-3174 Prevent SSE writing from potentially causing accumulation of headers
QUARKUS-3175 Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
QUARKUS-3176 Ensure that parent modules are loaded into workspace before those that depend on them
QUARKUS-3177 Fix copy paste error in qute docs
QUARKUS-3178 Pass --userns=keep-id to Podman only when in rootless mode
QUARKUS-3179 Fix stuck HTTP2 request when sent challenge has resumed request
QUARKUS-3180 Use the effective Maven project build config when initializing sources and classes paths for dev mode
QUARKUS-3181 Ensure that quarkus:go-offline properly supports test scoped dependencies
QUARKUS-3182 [2.13.x] - Update 2.13 to use the new container images
QUARKUS-3184 Use "SchemaType.ARRAY" instead of "ARRAY" for native support
QUARKUS-3185 Simplify logic in create-app.adoc and allow to define stream
QUARKUS-3187 Allow context propagation for OpenTelemetry
QUARKUS-3188 Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
QUARKUS-3191 Drop ':z' bind option when using MacOS and Podman
QUARKUS-3194 Exclude Netty’s reflection configuration files
QUARKUS-3195 Integrate the api dependency from Infinispan 14 (#ISPN-14268)

9. Known issues

This section lists known issues with Red Hat build of Quarkus 2.13.

9.1. Using CDI interceptors to resolve multitenant OIDC configuration fails due to security fix in version 2.13.9.SP1

Description

The security fix implemented in Red Hat build of Quarkus 2.13.9.SP1 to address CVE-2023-6267 introduced a breaking change.

This breaking change is relevant only when using multiple OIDC providers with RestEasy Classic and occurs if you use Context and Dependency Injection (CDI) interceptors to programmatically resolve OIDC tenant configuration identifiers.

Before this fix, CDI interceptors ran before authentication checks. After introducing the fix, authentication occurs before CDI interceptors are triggered. Therefore, using CDI interceptors to resolve multiple OIDC provider configuration identifiers no longer works. RestEasy Reactive applications are not affected.

Workaround

Use the quarkus.oidc.TenantResolver method to resolve the current OIDC configuration tenant ID.

For more information, see the Resolving tenant identifiers with annotations section of the Quarkus “Using OpenID Connect (OIDC) multitenancy” guide.

9.2. Red Hat build of Quarkus 2.13.9 does not support domain sockets

Red Hat build of Quarkus 2.13.x and 3.2 do not support native transport and associated features. Thus, the use of the native epoll or io_uring transports and the use of domain sockets, which require native transport, are also not supported.

9.3. HTTP security bypass issue when using path-based rules to protect HTTP endpoints

Before Red Hat build of Quarkus version 2.13.8.SP2, a security issue CVE-2023-4853 exists whereby an attacker could potentially bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

If you have secured the HTTP endpoints of your Quarkus applications by using path-based rules, you must ensure that your Quarkus applications are updated to Red Hat build of Quarkus 2.13.8.SP2. Alternatively, follow the workaround options provided by the Red Hat Product Security Center.

For more information about this security issue and for detailed instructions about the different mitigation options, see the Mitigation section of the Red Hat Security Bulletin RHSB-2023-002.

9.4. User experience side-effect with CORS filter

Description

With Red Hat build of Quarkus 2.13.8.SP1, the Vert.x cross-origin resource sharing (CORS) filter, Vert.x HTTP CORS, is stricter and denies same-origin requests when the filter has not been explicitly configured to accept such origins.

Workaround

Configure the filter to accept same-origin requests. For example, if you host a Quarkus application on https://my.org that includes an HTML page, and the page contains JavaScript that posts updates back to https://my.org, you must apply the following configuration in the application.properties file to allow same-origin requests:

quarkus.http.cors=true
quarkus.http.cors.origins=https://my.org

Configuring the Vert.x HTTP CORS filter to allow the same host origins is now required due to a side-effect of fixing CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus.

Red Hat is evaluating whether to relax this requirement in a future release of Red Hat build of Quarkus.

10. Advisories related to this release

Before you start using and deploying Red Hat build of Quarkus 2.13, review the advisories about enhancements, bug fixes, and CVE fixes for other technologies and services related to the release.

10.5. Red Hat build of Quarkus 2.13.8

11. Quarkus metering labels for Red Hat OpenShift

You can add metering labels to your Quarkus pods and check Red Hat subscription details with the OpenShift Metering Operator.

Do not add metering labels to any pods that an operator or a template deploys and manages.
You can apply labels to pods using the Metering Operator on OpenShift Container Platform version 4.8 and earlier. From version 4.9 onward, the Metering Operator is no longer available without a direct replacement.

Quarkus can use the following metering labels:

com.company: Red_Hat
rht.prod_name: Red_Hat_Runtimes
rht.prod_ver: YYYY-Q1
rht.comp: "Quarkus"
rht.comp_ver: 2.13.9
rht.subcomp_t: application

Additional resources

Configuring and using Metering in OpenShift Container Platform

Revised on 2024-01-26 05:00:23 UTC

Legal Notices for Trademarks

Topics included in this guide

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links