RHSA-2025:8258 - Security Advisory

标题

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

描述

This release of Red Hat build of Quarkus 3.20.1 includes the following CVE fix:

• io.netty/netty-handler: SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine [quarkus-3.20] (CVE-2025-24970)

For more information, see the release notes page listed in the References section.

解决方案

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

受影响的产品

• Red Hat build of Quarkus Text-Only Advisories x86_64

修复

• QUARKUS-5950 - Upgrade Agroal to 2.6
• QUARKUS-6128 - Use same Docker prune location everywhere
• QUARKUS-6173 - Bump org.hibernate.reactive:hibernate-reactive-core from 2.4.6.Final to 2.4.7.Final
• QUARKUS-6167 - WebSockets Next: make sure non-websocket connections are ignored
• QUARKUS-6163 - Use JDK 21 for build reporting
• QUARKUS-6155 - Fail build when multiple HttpSecurityPolicies with same name are detected
• QUARKUS-6154 - Bump smallrye-open-api.version from 4.0.9 to 4.0.10
• QUARKUS-6149 - Optimise path decoding in RoutingUtils
• QUARKUS-6147 - RunnerClassLoader - Return URL with an ending / if resource ending with /
• QUARKUS-6146 - Properly support Optional as a header param for REST Client
• QUARKUS-6140 - Disable checks related to unsupported bytecode enhancement in Hibernate ORM
• QUARKUS-6138 - Bump all SmallRye projects that have a new Jandex index
• QUARKUS-6137 - Jandex: reindex if the index is too new
• QUARKUS-6136 - WebSockets Next: fix the server autoPing timer
• QUARKUS-6133 - Bump Hibernate Reactive from 2.4.5.Final to 2.4.6.Final
• QUARKUS-6132 - Allow to disable log rotation
• QUARKUS-6130 - Set request timeout on OTel gRPC sender
• QUARKUS-6129 - Add a bit more context when we can't read Jandex index
• QUARKUS-6127 - Bump wildfly-elytron.version from 2.6.2.Final to 2.6.3.Final
• QUARKUS-6126 - Jandex: upgrade to 3.3.0
• QUARKUS-6125 - Update to Stork 2.7.3
• QUARKUS-6124 - Postpone Stork shutdown
• QUARKUS-6119 - Ignore GraalVM features in HibernateValidatorProcessor
• QUARKUS-6118 - Move JGit dependency to `quarkus-build-parent`
• QUARKUS-6117 - Qute: section parameters are now separated by one or more whitespaces
• QUARKUS-6116 - Qute: fix nested literal separator in a virtual method parameter
• QUARKUS-6114 - Fix ClassCastException when ResourceMethod with same method name exist
• QUARKUS-6112 - quarkus-tls-registry 'javax.net.ssl' causes "java.lang.IllegalStateException: No CN or OU in O=xxx,C=xxx" and crashs quarkus application starts
• QUARKUS-6111 - Make sure default platforms recommended by registries have higher preferences than those referenced from downstream platforms
• QUARKUS-6109 - Fix constructor search for Qute template records
• QUARKUS-6106 - Fix the OIDC opaque token check
• QUARKUS-6105 - Qute: ignore type-safe fragments for param declarations
• QUARKUS-6103 - Fix container binary strategy returning with non-zero exit code
• QUARKUS-6102 - Correctly handle trust managers when no trust manager matching the SNI name can be found
• QUARKUS-6101 - Make TlsConfiguration#getName a default method
• QUARKUS-6099 - Bump smallrye-open-api.version from 4.0.8 to 4.0.9
• QUARKUS-6097 - OpenAPI: disable example merging by default (Swagger UI regression)
• QUARKUS-6095 - Make ObjectMapper/JsonbProducer unremovable if json mapper is required by ORM
• QUARKUS-6094 - SmallRye GraphQL - Allow execution model annotations on @Resolver methods
• QUARKUS-6092 - Bump smallrye-graphql.version from 2.12.1 to 2.12.2
• QUARKUS-6091 - Resolved the UnsupportedOperationException in TlsConfigUtils when setting ALPN false
• QUARKUS-6090 - Bump Quarkiverse parent version to 19
• QUARKUS-6089 - Bump wildfly-elytron.version from 2.6.1.Final to 2.6.2.Final
• QUARKUS-6088 - Bump wildfly-elytron.version from 2.6.0.Final to 2.6.1.Final
• QUARKUS-5981 - Websocket.next - default serialization fails on native
• QUARKUS-5664 - TLS - Enable Policy Configuration for Expired or Not Yet Valid Certificates
• QUARKUS-5660 - Allow to create static OIDC tenants programmatically

CVE

• CVE-2025-24970

参考

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/articles/4966181
• https://access.redhat.com/products/quarkus/
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=3.20.1
• https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20/html-single/release_notes_for_red_hat_build_of_quarkus_3.20/index#ref_rn-updates-for-3-20-1_quarkus-release-notes