Red Hat Product Errata RHSA-2025:3376 - Security Advisory
Issued:
2025-04-02
Updated:
2025-04-02

RHSA-2025:3376 - Security Advisory

Synopsis

Important: Red Hat build of Quarkus 3.15.4 release and security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Quarkus 3.15.4 includes the following CVE fix:

  • io.smallrye/smallrye-fault-tolerance-core: SmallRye Fault Tolerance [quarkus-3.15] (CVE-2025-2240)

For more information, see the release notes page listed in the References
section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat build of Quarkus Text-Only Advisories x86_64

Fixes

  • QUARKUS-5849 - Downgrade Kafka to version 3.7.1
  • QUARKUS-5844 - Bump hibernate-orm.version from 6.6.4.Final to 6.6.5.Final
  • QUARKUS-5843 - Fix PathTreeClassPathElement#toString() implementation
  • QUARKUS-5842 - Fix documentation for connecting to multiple devservice databases
  • QUARKUS-5841 - Update URL of swapi-graphql.netlify.app GraphQL endpoint
  • QUARKUS-5840 - Upgrade to Vert.x 4.5.12 and Netty 4.1.117.Final
  • QUARKUS-5839 - Replace the id label with a name label for Netty allocator
  • QUARKUS-5838 - Fix generate ca command in tls guide
  • QUARKUS-5837 - Properly get default value when handling OpenApiFilters
  • QUARKUS-5836 - Fix incorrect response code when media type is invalid
  • QUARKUS-5835 - Upgrade Hibernate ORM to 6.6.6.Final
  • QUARKUS-5834 - Fix and restore hibernate-reactive-mssql tests
  • QUARKUS-5833 - Ensure that the copied native executable has the executable permission when copied from the host to the container image.
  • QUARKUS-5832 - Upgrade to Hibernate ORM 6.6.7.Final
  • QUARKUS-5831 - Simplify and fix building the list of framework endpoints
  • QUARKUS-5830 - Avoid creating a timer when reconnectDelay is set to Max
  • QUARKUS-5829 - Don't assume context resolvers are always called from REST Client
  • QUARKUS-5828 - Register some date-related types for reflection for GraphQL clients
  • QUARKUS-5804 - Redis Client: fix NPE when constructing XPendingSummary
  • QUARKUS-5803 - Add missing @ConfigItem to FilterConfig
  • QUARKUS-5802 - Fix typo
  • QUARKUS-5801 - Elytron security LDAP: Document and test mapping of LDAP groups to SecurityIdentity roles
  • QUARKUS-5800 - Revert "[oracle-jdbc] Remove unnecessary conditionals from @BuildSteps in the Oracle JDBC extension"
  • QUARKUS-5799 - Fix: trust store config is overwritten by key store config while certificate reloading
  • QUARKUS-5798 - fix: possible NPE if data has not been set yet
  • QUARKUS-5797 - Copy `Configuration` when building a JAX-RS `Client`
  • QUARKUS-5796 - Register Db2 resource bundle classes for reflection
  • QUARKUS-5795 - Register Parallel Database Query related elements for reflection
  • QUARKUS-5794 - Remove erroneous state tracking from client readers/writers
  • QUARKUS-5793 - Fix Mongo health checks
  • QUARKUS-5792 - Update code to get Mandrel version from native executable
  • QUARKUS-5791 - Add FAQ about thread dumps in native reference guide
  • QUARKUS-5790 - Do not use grep -q when calculating the matrix
  • QUARKUS-5789 - Fix typos in deploying-to-kubernetes.adoc
  • QUARKUS-5788 - Use swapi.tech for The Star Wars API calls
  • QUARKUS-5787 - swapi.dev is down, use swapi.tech
  • QUARKUS-5786 - Docs: Correct sentence in Simplified MongoDB with Panache
  • QUARKUS-5785 - Fix how Vert.x routes are identified in metrics and OpenTelemetry
  • QUARKUS-5784 - Typo in ProxyConfig
  • QUARKUS-5783 - Typo in Proxy Configuration Guidance
  • QUARKUS-5781 - Fix matrix computation for Ubuntu 24
  • QUARKUS-5780 - Bump hibernate-reactive.version from 2.4.3.Final to 2.4.4.Final
  • QUARKUS-5779 - Unable to use custom handlers for HTTP OPTIONS method in subresources
  • QUARKUS-5778 - Docs: Correct word form in Native Applications Tips
  • QUARKUS-5777 - OpenTelemetry: fix the Redis instrumenter in case of a tainted connection
  • QUARKUS-5776 - Fix local proxy handling in REST Client module
  • QUARKUS-5775 - Bump org.hibernate.validator:hibernate-validator from 8.0.1.Final to 8.0.2.Final
  • QUARKUS-5773 - Ensure that jakarta json types can be deserialized in native mode
  • QUARKUS-5772 - Fix InjectionPointModifier for repeated annotations on method parameters; add grpc test
  • QUARKUS-5771 - Ensure request body is consumed so that multipart requests with large payloads never hang when exception happens before body is consumed
  • QUARKUS-5770 - Qute message bundles: fix localization of enums
  • QUARKUS-5769 - Upgrade to Hibernate ORM 6.6.4 / Reactive 2.4.3
  • QUARKUS-5768 - Qute: fix handling of missing properties in strict mode
  • QUARKUS-5767 - Pass secured method arguments into security checks for `@PreAuthorize` security annotation on SpringWeb endpoints
  • QUARKUS-5766 - Fixed an issue where annotations were not part of the Jandex index, if given in an external JAR
  • QUARKUS-5765 - Ensure that all our handlers extend `ExtHandler`
  • QUARKUS-5763 - Adjust logging level for JDBC resource leak warnings
  • QUARKUS-5762 - Micrometer exemplars on HTTP
  • QUARKUS-5760 - Include proto unzip directory as proto import directory argument for protoc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.