PVII preview of fixed content for QE: https://pantheon.corp.redhat.com/pantheon/preview/latest/5cbab82b-042a-4a68-ac5e-54901a9cc222?rerender=true{}{}

Task: Fix bad links to CVE JIRAs in Release notes.

Why? The Fixes section of the Red Hat build of Quarkus 2.7 release notes includes links to internal JIRAs that customers cannot access.

Agreed scope of JIRA:

After a discussion with the team today, we agreed that in the Security Fixes section of the Release notes for Quarkus, the CVE links must target the official Red Hat CVE support page, NOT the internal Quarkus JIRA.

We also agreed that the descriptions in the Quarkus release notes should match the CVE title verbatim as this increases findability.

When:  Not urgent for 2.7.6 SP1 publish, but to be done async as soon as possible after the fix is released.

Extract of 2.7.6 GA problem:

8.1. Security fixes

8.1.2. Quarkus 2.7.5

• QUARKUS-1970 CVE-2021-43797 Netty: control chars in header names may lead to HTTP request smuggling

• QUARKUS-1902 CVE-2022-0981 Quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus

• QUARKUS-1842 CVE-2022-21724 PostgreSQL: jdbc-postgresql: Unchecked Class Instantiation when providing Plug-in Classes

• QUARKUS-1833 CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data

• QUARKUS-1832 CVE-2022-21363 MySQL-connector-java: Difficult to exploit vulnerability allows a high privileged attacker with network access by using multiple protocols to compromise MySQL Connectors

• QUARKUS-1372 CVE-2021-3914 Smallrye-health-ui: persistent cross-site scripting in endpoint

• QUARKUS-1029 CVE-2021-29429 Gradle: information disclosure through temporary directory permissions

• QUARKUS-993 CVE-2021-29428 Gradle: local privilege escalation through system temporary directory

• QUARKUS-992 CVE-2021-29427 Gradle: repository content filters do not work in Settings pluginManagement

• QUARKUS-800 CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads