Scope of doc updates for this JIRA.

Add a note to the 3.2 release notes to explain  CVE-2023-44487 and some context around it.

Note: We don't typically add the details of a CVE that is fixed in the previous/earlier release, (e.g. 2.13.8 SP3)  but have made an exception this time at the request of the Quarkus product manager and engineering team.

Publishing preview doc links on PV2 for QE review:

• Release Notes for Red Hat build of Quarkus 3.2: https://pantheon.corp.redhat.com/pantheon/preview/latest/4ea39096-72be-4ccf-a22e-7e42063d29ec?rerender=true

Context and content strategy/doc research information:

Due to the high severity of CVE-2023-44487, program leads have agreed that we should communicate to Red Hat customers that the vulnerability is addressed in our upcoming RHBQ 3.2 GA release.

As mentioned in previous discussions, we omit a list of security fixes in initial releases of new major product versions.

According to a document with PgM's recorded decisions around addresing CVE 2023-44487 (Rapid Reset vulnerability) in Quarkus and RHBQ program-level leadership request that we add a note in the RN expressly about this specific vulnerability being addressed in 3.2, due to the following reasons.

• The CVE fix has been applied downstream first, due to the product build being ready for the originally scheduled release (This runs contrary to RHBQ's established upstream-first productization model, and has been decided to ensure we can deliver the fix to our customers in the shortest possible time).
• The patch might not be recognized by automated security scanning tools and lead to false-positive vulnerability alerts on the customers' side. Due to this issue, there is no simple way for the customer to verify that the RHBQ 3.2 release does, in fact contain the patch, which is why we opted to call this out explicitly in the RN.

The document also contains a proposed formulation of the note:

We usually do not include CVE information when we announce a new feature release since CVEs are continuously fixed in previous versions. However, RHBQ 3.2.6 has an unusual CVE fix for a feature release, and we decided to highlight it here. Towards the end of the release cycle, a new security flaw in the HTTP/2 protocol was announced named Rapid Reset (CVE-2023-44487). It impacted almost all products that handle HTTP/2 requests, and both previous and new versions of Quarkus are affected. To fix this for the 2.13 feature stream, we decided to backport fixes to the affected component, minimizing the impact of breaking changes. Since 3.2 was already ready to be released, we decided to also apply the source code fixes to 3.2. This may result in CVE scanning tools reporting false positives for this CVE. It is because scanning tools assume that fixes can only be applied to newer versions, but since Red Hat is building this from source, we can fix the issue in the current version using a new unique build number.

142934-CCS-smanocha I don't think that we need QE test coverage for this since it is not a technical change, but I'll run the RN update by Thomas for review before we publish. WDYT?