Skip to content

Commit 0d70169

Browse files
gsmetgsmet
committed
CVE fixes - February 2025
1 parent f928f3a commit 0d70169

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

_posts/2025-02-27-cve-fixes-feb-2025.adoc

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
layout: post
3+
title: 'CVE fixes - February 2025'
4+
date: 2025-02-27
5+
tags: release
6+
synopsis: 'We released Quarkus 3.8.6.1 and 3.15.3.1 with various CVE fixes. Quarkus 3.19.1 already has the fixes.'
7+
author: gsmet
8+
---
9+
10+
Today, we released CVE fixes releases for Quarkus 3.8 LTS and 3.15 LTS to address several CVEs.
11+
12+
If you are using these versions and the mentioned components, the update is recommended.
13+
14+
These CVEs are already fixed in Quarkus 3.19.1,
15+
so if you are using a non-LTS version, please upgrade to Quarkus 3.19.1 (or to the closest LTS version if you are using an old version).
16+
17+
We addressed the following CVEs:
18+
19+
- https://nvd.nist.gov/vuln/detail/CVE-2025-24970[CVE-2025-24970] - Upstream Netty (only for 3.15)
20+
- https://nvd.nist.gov/vuln/detail/CVE-2025-1247[CVE-2025-1247] - Quarkus REST - Using field injection for request-scoped elements in REST resources not marked with the request scope could lead to concurrency issues.
21+
- https://nvd.nist.gov/vuln/detail/CVE-2024-12225[CVE-2024-12225] (embargo will be lifted soon) - WebAuthn - The callback endpoint was enabled by default. It now requires to be https://quarkus.io/version/3.15/guides/security-webauthn#configuration[explicitly configured].
22+
- https://nvd.nist.gov/vuln/detail/CVE-2025-1634[CVE-2025-1634] (not published yet) - RESTEasy Classic - RESTEasy Classic endpoints may be affected by memory leaks. If you are exposing REST endpoints publicly using the `quarkus-resteasy` extension, the update is highly recommended. Quarkus REST is **NOT** affected by this CVE.
23+
24+
== Come Join Us
25+
26+
We value your feedback a lot so please report bugs, ask for improvements... Let's build something great together!
27+
28+
If you are a Quarkus user or just curious, don't be shy and join our welcoming community:
29+
30+
* provide feedback on https://github.com/quarkusio/quarkus/issues[GitHub];
31+
* craft some code and https://github.com/quarkusio/quarkus/pulls[push a PR];
32+
* discuss with us on https://quarkusio.zulipchat.com/[Zulip] and on the https://groups.google.com/d/forum/quarkus-dev[mailing list];
33+
* ask your questions on https://stackoverflow.com/questions/tagged/quarkus[Stack Overflow].

0 commit comments

Comments
 (0)