Quarkus security releases for CVE-2023-4853

[giscus[bot]]

Quarkus security releases for CVE-2023-4853

Quarkus: Supersonic Subatomic Java

https://quarkus.io/blog/cve-2023-4853/

[marcelstoer]

Red Hat build of Quarkus 2.13.18.SP2 that fix the issue

Are you sure you didn't mean 2.13.8.SP2?

-> https://maven.repository.redhat.com/ga/com/redhat/quarkus/platform/quarkus-bom/2.13.8.SP2-redhat-00001/
-> https://access.redhat.com/errata/RHSA-2023:5170

It's an issue because the CVE says "cpe:2.3:a:quarkus:quarkus:::::::: Up to (excluding) 2.16.11"

[sberyozkin]

@marcelstoer

https://nvd.nist.gov/vuln/detail/CVE-2023-4853 shows correct CPEs, up to excl 2.16.11 is referring to the upstream 2.16.x line.

Red Hat build of Quarkus 2.13.18.SP2 is only a typo in the announcement text, it is shown correctly in the NVD page as up to excl 2.13.8

[marcelstoer]

a typo in the announcement text

Yes, that's why I left a comment.

The CVE reporting only on the upstream version (2.16.x) and thereby ignoring that RHBQ 2.13.8.SP2 also contains the fix is a different issue.