RHSA-2026:1965 - Security Advisory

标题

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

描述

This release of Red Hat build of Quarkus 3.27.2 includes the following CVE fixes:

• common: Timing Attack Vulnerability in SCRAM Authentication [quarkus-3.27] (CVE-2025-59432)
• hibernate-reactive-core: Hibernate Reactive: Denial of Service due to connection leak on HTTP client disconnect [quarkus-3.27] (CVE-2025-14969)
• netty-codec-http: Netty (netty-codec-http): Request Smuggling via CRLF Injection [quarkus-3.27] (CVE-2025-67735)
• quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability [quarkus-3.27] (CVE-2025-66560)

For more information, see the release notes page listed in the References section.

解决方案

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

受影响的产品

• Red Hat build of Quarkus Text-Only Advisories x86_64

修复

• QUARKUS-6243 - Dedicated Dev UI interface to execute HQL (Hibernate ORM) queries
• QUARKUS-6552 - Add functionality to capture Quarkus application runtime data using JFR extension
• QUARKUS-7107 - [3.27] Exclude org.lz4:lz4-java in favor of at.yawk.lz4:lz4-java
• QUARKUS-7105 - [3.27] Record runtime configuration in its own ConfigSource
• QUARKUS-7101 - Make sure the project directory is normalized in LocalProject
• QUARKUS-7098 - gRPC: Avoid repeatedly starting call and closing call on a server call closed by custom interceptor
• QUARKUS-7095 - Use correct name for `org.graalvm.sdk:nativebridge` dependency
• QUARKUS-7090 - Re-try Maven resolver lock acquisition errors with a blocking task runner
• QUARKUS-7089 - Fix Docker Compose Dev Services NPE on Docker v29
• QUARKUS-7088 - StartupLogCompressor NULL checks
• QUARKUS-7086 - Fully disable Develocity capture of resource usage
• QUARKUS-7081 - Make `SseEventSink` work in native
• QUARKUS-7080 - Fix StreamingOutput connection reset on mid-stream errors
• QUARKUS-7079 - Filter for client imports on class level only when discovering Endpoints
• QUARKUS-7078 - Registry client option to set a low boundary for recommended streams on the client side
• QUARKUS-7075 - Mask some HTTP headers in the HTTP access log
• QUARKUS-7074 - Make sure local quarkus-versions config are effective when the default registry provides its own
• QUARKUS-7073 - ArC: fix subclass generation with not visible decorators
• QUARKUS-7071 - Fix OIDC TokenRevocation filter binding and improve request logging
• QUARKUS-7070 - Add OIDC CacheControl configuration
• QUARKUS-7067 - Update Njord to 0.9.2
• QUARKUS-7066 - [3.27] Bump the hibernate group with 7 updates
• QUARKUS-7065 - Bump snappy.version from 1.1.10.5 to 1.1.10.8
• QUARKUS-7064 - [3.27] Hibernate upgrades
• QUARKUS-7063 - Bump org.cyclonedx:cyclonedx-core-java from 9.0.5 to 11.0.1 in /bom/application
• QUARKUS-7062 - Bump com.github.ben-manes.caffeine:caffeine from 3.2.2 to 3.2.3
• QUARKUS-7061 - Update to slf4j-jboss-logmanager 2.0.2.Final
• QUARKUS-7060 - Bump maven to 3.9.11
• QUARKUS-7028 - Preview (dev-preview) status missing for quarkus-security-jpa extension in code.quarkus
• QUARKUS-6792 - [Migration 3.20 to 3.27]Failed to validate Schema: Schema-validation: wrong column type encountered in column
• QUARKUS-6715 - quarkus-langchain4j-core brings unproductized opennlp-tools on application classpath
• QUARKUS-6564 - Codestart generated with mongodb-rest-data-panache extension is unbuildable
• QUARKUS-6553 - Properly capture Quarkus information for JFR events

CVE

• CVE-2025-14969
• CVE-2025-59432
• CVE-2025-66560
• CVE-2025-67735

参考

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/products/quarkus/
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=3.27.2
• https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27