Closed bschuhmann closed 4 weeks ago
I've pinged them re 3.8.4/5 LTS and they have responded it should also be fixed in the current LTS stream
Should we hold off until they post something publicly or would you rather get the 3.2.10 data merged now and make a new PR for 3.8.x when there's a public reference?
TL;DR: versions 3.6.9
and >3.7.1
are patched, but I agree with their email response: putting 3.8.0
will help discourage users from using non-LTS releases in production.
CVE-2023-5675 was addressed by https://github.com/quarkusio/quarkus/pull/38413 (or more specifically, the commits in https://github.com/quarkusio/quarkus/pull/38414 which are included in that PR), which according to this comment broke the 3.6.8 build after being merged on 2024-01-27T08:42:36Z
.
This issue https://github.com/quarkusio/quarkus/issues/38460 was raised to track that and it was closed on 2024-01-29T19:57:54Z
.
Quarkus 3.6.9, which was released on 2024-01-29T21:05:52Z
, contains only that patch in the release notes, so any version released after 3.6.9 contains the fix.
However, there's an exception: Quarkus 3.7.0 had already been released by then (2024-01-24T10:11:28Z
), so Quarkus 3.7.1, which contains the patch, was released soon after on 2024-01-31T09:04:09Z
.
What @bschuhmann said about the patch being present in the current LTS stream (Quarkus 3.8.x) is true because all of the 3 commits in PR https://github.com/quarkusio/quarkus/pull/38414 are present in the Quarkus 3.8 branch.
Thanks, @codespearhead for following up!
but I agree with their email response: putting
3.8.0
will help discourage users from using non-LTS releases in production
We are using the LTS version 3.8 and it was missing from this advisory so far. Instead only 3.9.0.RC1 was listed as patched. Maybe set patched version to 3.8.0 LTS then, which includes all newer versions - and since both 3.6.9 and 3.7.x are considerably behind current 3.11.x, it might be a good thing people using this version still get the alert - and when the alert says: patched in 3.8.0, they can decide to update to LTS or the latest release...
@darakian, would you mind updating the advisory accordingly, or should I open a new change request via UI (I think I can't make updates on this branch)? Thanks for the help!
Yes, I can get it fixed up on my end, but let me recap what I think I've read. We've got three new fixed versions introduced in this PR/thread (3.6.9
, 3.7.1
, and 3.2.10.Final
) and the entire 3.8.x release should be unaffected. So, the change here would be to remove our current 3.9.0.CR1
patch versions and to add the three above with the ranges < 3.2.10.Final
, >= 3.3.0, < 3.6.9
, and >= 3.7.0, < 3.7.1
. Correct?
Quick answer: yes. The Quarkus team however would prefer - I'd guess - if LTS version 3.8.0 would be mentioned as fixed version instead of outdated 3.6.9 or 3.7.1.
Hmmmm. Do you think a comment about 3.8.0 being a preferred upgrade in the description would suffice? I'd rather keep those version ranges with the backported fix if possible from a technical correctness standpoint.
Affected version | Patched version |
---|---|
<3.2.10.Final | 3.2.10.Final |
<3.6.9 | 3.6.9 |
<3.7.1 | 3.7.1 |
Affected version | Patched version |
---|---|
<3.2.10.Final | 3.2.10.Final |
<3.8.0 | 3.8.0 |
@codespearhead, what are your thoughts on adding a comment to the description mentioning that 3.8.x is preferred over 3.7.1/3.6.9?
I think that will suffice.
Hi @bschuhmann! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
Awesome. The advisory is updated! Please give a ping if I missed something or you'd like a tweak 👍
Updates
Comments See https://quarkus.io/blog/quarkus-3-2-10-final-released/, CVE-2023-5675 is mentioned as fixed in this release note. I've pinged them re 3.8.4/5 LTS and they have responded it should also be fixed in the current LTS stream - but I haven't found any written prove so far.