[GHSA-25w4-hfqg-4r52] Quarkus: authorization flaw in quarkus resteasy reactive and classic #4525
Conversation
github-actions
bot
changed the base branch from
main
to
bschuhmann/advisory-improvement-4525
Should we hold off until they post something publicly or would you rather get the 3.2.10 data merged now and make a new PR for 3.8.x when there's a public reference? |
|
TL;DR: versions CVE-2023-5675 was addressed by quarkusio/quarkus#38413 (or more specifically, the commits in quarkusio/quarkus#38414 which are included in that PR), which according to this comment broke the 3.6.8 build after being merged on This issue quarkusio/quarkus#38460 was raised to track that and it was closed on Quarkus 3.6.9, which was released on However, there's an exception: Quarkus 3.7.0 had already been released by then ( What @bschuhmann said about the patch being present in the current LTS stream (Quarkus 3.8.x) is true because all of the 3 commits in PR quarkusio/quarkus#38414 are present in the Quarkus 3.8 branch. |
|
Thanks, @codespearhead for following up!
We are using the LTS version 3.8 and it was missing from this advisory so far. Instead only 3.9.0.RC1 was listed as patched. Maybe set patched version to 3.8.0 LTS then, which includes all newer versions - and since both 3.6.9 and 3.7.x are considerably behind current 3.11.x, it might be a good thing people using this version still get the alert - and when the alert says: patched in 3.8.0, they can decide to update to LTS or the latest release... |
|
@darakian, would you mind updating the advisory accordingly, or should I open a new change request via UI (I think I can't make updates on this branch)? Thanks for the help! |
|
Yes, I can get it fixed up on my end, but let me recap what I think I've read. We've got three new fixed versions introduced in this PR/thread ( |
|
Quick answer: yes. The Quarkus team however would prefer - I'd guess - if LTS version 3.8.0 would be mentioned as fixed version instead of outdated 3.6.9 or 3.7.1. |
|
Hmmmm. Do you think a comment about 3.8.0 being a preferred upgrade in the description would suffice? I'd rather keep those version ranges with the backported fix if possible from a technical correctness standpoint. |
Accurate
Preferred
|
|
@codespearhead, what are your thoughts on adding a comment to the description mentioning that 3.8.x is preferred over 3.7.1/3.6.9? |
|
I think that will suffice. |
advisory-database
bot
merged commit facec15
into
bschuhmann/advisory-improvement-4525
|
Hi @bschuhmann! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
Awesome. The advisory is updated! Please give a ping if I missed something or you'd like a tweak 👍 |
Updates
Comments
See https://quarkus.io/blog/quarkus-3-2-10-final-released/, CVE-2023-5675 is mentioned as fixed in this release note. I've pinged them re 3.8.4/5 LTS and they have responded it should also be fixed in the current LTS stream - but I haven't found any written prove so far.