CVEs + 3.6.9

Author: gsmet

_posts/2023-01-31-quarkus-3-7-released.adoc

@@ -3,7 +3,7 @@ layout: post
 title: 'Quarkus 3.7 - Java 17 baseline, Hibernate ORM 6.4, @MeterTag...'
 date: 2024-01-31
 tags: release
-synopsis: 'We released Quarkus 3.7 which requires Java 17+, updates to Hibernate ORM 6.4, supports Micrometer @MeterTag and much more.'
+synopsis: 'We released Quarkus 3.7 which requires Java 17+, updates to Hibernate ORM 6.4, supports Micrometer @MeterTag and much more. 3.6.9 was also released to address two CVEs.'
 author: gsmet
 ---
 
@@ -27,6 +27,13 @@ Major changes are:
 * https://github.com/quarkusio/quarkus/pull/38029[#38029] - Allow applications using quakus-info to contribute data to the /info using CDI
 * https://github.com/quarkusio/quarkus/pull/38066[#38066] - Drop Okhttp/Okio from BOM
 
+3.7.1 also fixes the following CVEs:
+
+- https://access.redhat.com/security/cve/CVE-2023-5675[CVE-2023-5675] Authorization flaw in Quarkus RESTEasy Reactive and Classic when `quarkus.security.jaxrs.deny-unannotated-endpoints` or `quarkus.security.jaxrs.default-roles-allowed` properties are used
+- https://access.redhat.com/security/cve/CVE-2023-6267[CVE-2023-6267] JSON payload getting processed prior to security checks when REST resources are used with annotations
+
+We also released 3.6.9 to address these issues in 3.6, in case you encounter problems updating to 3.7.
+
 As usual, this version also comes with bugfixes, performance improvements and documentation improvements.
 
 As mentioned in the previous minor announcement, we currently maintain two version streams in the community: