From 2b25e4982b00c54cebeb45c89804783d7a9e2738 Mon Sep 17 00:00:00 2001
From: Clement Escoffier <clement.escoffier@gmail.com>
Date: Mon, 2 Oct 2023 13:23:40 +0200
Subject: [PATCH 1/6] Update Snappy to version 1.1.10.5

Fix CVE-2023-43642 (https://access.redhat.com/security/cve/CVE-2023-43642)

(cherry picked from commit c2fa0343cb71ae7641b78862ca0767b2d3b8d888)
---
 bom/application/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bom/application/pom.xml b/bom/application/pom.xml
index 80ca0d18d8a4f..60f55971f1d58 100644
--- a/bom/application/pom.xml
+++ b/bom/application/pom.xml
@@ -152,7 +152,7 @@
         <mutiny.version>2.3.1</mutiny.version>
         <kafka3.version>3.4.0</kafka3.version>
         <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
-        <snappy.version>1.1.10.1</snappy.version>
+        <snappy.version>1.1.10.5</snappy.version>
         <strimzi-test-container.version>0.100.0</strimzi-test-container.version>
         <!-- Scala is used by Kafka so we need to choose a compatible version -->
         <scala.version>2.13.11</scala.version>

From 0c0247b0825a4e9e397be4af960f09fccaf1089f Mon Sep 17 00:00:00 2001
From: Guillaume Smet <guillaume.smet@gmail.com>
Date: Tue, 3 Oct 2023 19:08:52 +0200
Subject: [PATCH 2/6] Fix title of upx.adoc

We shouldn't have any new lines between the header and the title.

(cherry picked from commit 3b18e24aecb70dd905aa26a799fdfb5f72ee86d8)
---
 docs/src/main/asciidoc/upx.adoc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/docs/src/main/asciidoc/upx.adoc b/docs/src/main/asciidoc/upx.adoc
index b973e0f6d959a..58a3bb855cc26 100644
--- a/docs/src/main/asciidoc/upx.adoc
+++ b/docs/src/main/asciidoc/upx.adoc
@@ -3,9 +3,7 @@ This guide is maintained in the main Quarkus repository
 and pull requests should be submitted there:
 https://github.com/quarkusio/quarkus/tree/main/docs/src/main/asciidoc
 ////
-
 = Compressing native executables using UPX
-
 include::_attributes.adoc[]
 
 https://upx.github.io/[Ultimate Packer for eXecutables (UPX)] is a compression tool reducing the size of executables.

From b951e70a283cdbde4f6b21b7688668ec00cd6fe1 Mon Sep 17 00:00:00 2001
From: Clement Escoffier <clement.escoffier@gmail.com>
Date: Tue, 10 Oct 2023 17:20:34 +0200
Subject: [PATCH 3/6] Update Netty to 4.1.100

Contains the fix for CVE-2023-44487.

(cherry picked from commit e9a563fb17371d279074d29d08989727eb45318c)
---
 bom/application/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bom/application/pom.xml b/bom/application/pom.xml
index 60f55971f1d58..e356adec06572 100644
--- a/bom/application/pom.xml
+++ b/bom/application/pom.xml
@@ -145,7 +145,7 @@
         <infinispan.version>14.0.11.Final</infinispan.version>
         <infinispan.protostream.version>4.6.2.Final</infinispan.protostream.version>
         <caffeine.version>3.1.5</caffeine.version>
-        <netty.version>4.1.94.Final</netty.version>
+        <netty.version>4.1.100.Final</netty.version>
         <brotli4j.version>1.12.0</brotli4j.version>
         <reactive-streams.version>1.0.4</reactive-streams.version>
         <jboss-logging.version>3.5.1.Final</jboss-logging.version>

From 75c3cd880000b22a88dc3f740cc39a1ec6e5be8d Mon Sep 17 00:00:00 2001
From: Clement Escoffier <clement.escoffier@gmail.com>
Date: Thu, 12 Oct 2023 09:39:58 +0200
Subject: [PATCH 4/6] Add a test case verifying the RST flood protection

(cherry picked from commit b3cd2bc4884bece55c435fca138682fcfb1549c9)
---
 .../http2/Http2RSTFloodProtectionTest.java    | 104 ++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java

diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java
new file mode 100644
index 0000000000000..abd5907d75465
--- /dev/null
+++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/http2/Http2RSTFloodProtectionTest.java
@@ -0,0 +1,104 @@
+package io.quarkus.vertx.http.http2;
+
+import static io.vertx.core.http.HttpMethod.GET;
+import static org.junit.jupiter.api.Assertions.fail;
+
+import java.io.File;
+import java.net.URL;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Assumptions;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+import io.quarkus.test.common.http.TestHTTPResource;
+import io.quarkus.vertx.core.runtime.VertxCoreRecorder;
+import io.vertx.core.http.HttpClient;
+import io.vertx.core.http.HttpClientOptions;
+import io.vertx.core.http.HttpClientRequest;
+import io.vertx.core.http.HttpVersion;
+import io.vertx.core.net.JdkSSLEngineOptions;
+import io.vertx.ext.web.Router;
+
+/**
+ * Reproduce CVE-2023-44487.
+ */
+public class Http2RSTFloodProtectionTest {
+
+    @TestHTTPResource(value = "/ping", ssl = true)
+    URL sslUrl;
+
+    @TestHTTPResource(value = "/ping")
+    URL url;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(MyBean.class)
+                    .addAsResource(new File("src/test/resources/conf/ssl-jks.conf"), "application.properties")
+                    .addAsResource(new File("src/test/resources/conf/server-keystore.jks"), "server-keystore.jks"));
+
+    @Test
+    void testRstFloodProtectionWithTlsEnabled() throws Exception {
+        Assumptions.assumeTrue(JdkSSLEngineOptions.isAlpnAvailable()); //don't run on JDK8
+        HttpClientOptions options = new HttpClientOptions()
+                .setUseAlpn(true)
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setSsl(true)
+                .setTrustAll(true);
+
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        int port = sslUrl.getPort();
+        run(client, port, false);
+    }
+
+    @Test
+    public void testRstFloodProtection() throws InterruptedException {
+        HttpClientOptions options = new HttpClientOptions()
+                .setProtocolVersion(HttpVersion.HTTP_2)
+                .setHttp2ClearTextUpgrade(true);
+        var client = VertxCoreRecorder.getVertx().get().createHttpClient(options);
+        run(client, url.getPort(), true);
+    }
+
+    void run(HttpClient client, int port, boolean plain) throws InterruptedException {
+        CountDownLatch latch = new CountDownLatch(1);
+        client.connectionHandler(conn -> conn.goAwayHandler(ga -> {
+            Assertions.assertEquals(11, ga.getErrorCode());
+            latch.countDown();
+        }));
+
+        if (plain) {
+            // Emit a first request to establish a connection.
+            // It's HTTP/1 so, does not count in the number of requests.
+            client.request(GET, port, "localhost", "/ping")
+                    .compose(HttpClientRequest::send);
+        }
+
+        for (int i = 0; i < 250; i++) { // must be higher thant the NEtty limit (200 / 30s)
+            client.request(GET, port, "localhost", "/ping")
+                    .onSuccess(req -> req.end().onComplete(v -> req.reset()));
+        }
+
+        if (!latch.await(10, TimeUnit.SECONDS)) {
+            fail("RST flood protection failed");
+        }
+    }
+
+    @ApplicationScoped
+    public static class MyBean {
+
+        public void register(@Observes Router router) {
+            router.get("/ping").handler(rc -> {
+                // Do nothing.
+            });
+        }
+
+    }
+}

From 4285d8b1b94f5ad8ea35f23301feb7fe5e6fb479 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 29 Sep 2023 22:11:00 +0000
Subject: [PATCH 5/6] Bump org.apache.avro:avro from 1.11.2 to 1.11.3 in
 /bom/application

Bumps org.apache.avro:avro from 1.11.2 to 1.11.3.

---
updated-dependencies:
- dependency-name: org.apache.avro:avro
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 1ea628a83e6257a6ed051f289679a6f1d9f02797)
---
 bom/application/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bom/application/pom.xml b/bom/application/pom.xml
index e356adec06572..5cdc34ed3e61c 100644
--- a/bom/application/pom.xml
+++ b/bom/application/pom.xml
@@ -205,7 +205,7 @@
         <log4j2-jboss-logmanager.version>1.1.1.Final</log4j2-jboss-logmanager.version>
         <log4j2-api.version>2.20.0</log4j2-api.version>
         <log4j-jboss-logmanager.version>1.3.0.Final</log4j-jboss-logmanager.version>
-        <avro.version>1.11.1</avro.version>
+        <avro.version>1.11.3</avro.version>
         <apicurio-registry.version>2.4.3.Final</apicurio-registry.version>
         <apicurio-common-rest-client.version>0.1.17.Final</apicurio-common-rest-client.version> <!-- must be the version Apicurio Registry uses -->
         <testcontainers.version>1.18.3</testcontainers.version> <!-- Make sure to also update docker-java.version to match its needs -->

From e54c0e09edbd0457725fcca8fb7b63761d2b301b Mon Sep 17 00:00:00 2001
From: Georgios Andrianakis <geoand@gmail.com>
Date: Wed, 6 Sep 2023 14:35:56 +0300
Subject: [PATCH 6/6] Fix generic handling of ParamConverter

Fixes: #35774
(cherry picked from commit c3479a053cc89bcf4c5d4e46f0115e3d37456c12)
---
 .../simple/GenericsParamConverterTest.java    | 109 ++++++++++++++++++
 .../startup/RuntimeResourceDeployment.java    |   2 +
 2 files changed, 111 insertions(+)
 create mode 100644 extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/simple/GenericsParamConverterTest.java

diff --git a/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/simple/GenericsParamConverterTest.java b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/simple/GenericsParamConverterTest.java
new file mode 100644
index 0000000000000..f2ff7dd22e7cf
--- /dev/null
+++ b/extensions/resteasy-reactive/quarkus-resteasy-reactive/deployment/src/test/java/io/quarkus/resteasy/reactive/server/test/simple/GenericsParamConverterTest.java
@@ -0,0 +1,109 @@
+package io.quarkus.resteasy.reactive.server.test.simple;
+
+import static io.restassured.RestAssured.given;
+import static org.hamcrest.CoreMatchers.is;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.ext.ParamConverter;
+import jakarta.ws.rs.ext.ParamConverterProvider;
+import jakarta.ws.rs.ext.Provider;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class GenericsParamConverterTest {
+
+    @RegisterExtension
+    static QuarkusUnitTest test = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(TestEnum.class, Wrapper.class,
+                            WrapperParamConverterProvider.class, WrapperParamConverterProvider.WrapperParamConverter.class,
+                            TestResource.class));
+
+    @Test
+    public void wrapper() {
+        given()
+                .when().get("/test/single?wrapper=ACTIVE")
+                .then()
+                .statusCode(200)
+                .body(is("ACTIVE"));
+    }
+
+    @Test
+    public void wrapperList() {
+        given()
+                .when().get("/test/list?wrapperList=INACTIVE&wrapperList=ACTIVE")
+                .then()
+                .statusCode(200)
+                .body(is("INACTIVE,ACTIVE"));
+    }
+
+    @Path("/test")
+    public static class TestResource {
+
+        @GET
+        @Path("/list")
+        public String list(@QueryParam("wrapperList") final List<Wrapper<TestEnum>> wrapperList) {
+            return wrapperList.stream().map(w -> w.getValue().name()).collect(Collectors.joining(","));
+        }
+
+        @GET
+        @Path("/single")
+        public String single(@QueryParam("wrapper") final Wrapper<TestEnum> wrapper) {
+            return wrapper.getValue().toString();
+        }
+    }
+
+    public enum TestEnum {
+        ACTIVE,
+        INACTIVE
+    }
+
+    public static class Wrapper<E extends Enum<E>> {
+        private final E value;
+
+        public Wrapper(final E value) {
+            this.value = value;
+        }
+
+        public E getValue() {
+            return value;
+        }
+    }
+
+    @Provider
+    public static class WrapperParamConverterProvider implements ParamConverterProvider {
+
+        @Override
+        @SuppressWarnings("unchecked")
+        public <T> ParamConverter<T> getConverter(final Class<T> rawType, final Type genericType,
+                final Annotation[] annotations) {
+            if (Wrapper.class.isAssignableFrom(rawType)) {
+                return (ParamConverter<T>) new WrapperParamConverter();
+            }
+            return null;
+        }
+
+        public static class WrapperParamConverter implements ParamConverter<Wrapper<?>> {
+
+            @Override
+            public Wrapper<?> fromString(String value) {
+                return new Wrapper<>(Enum.valueOf(TestEnum.class, value));
+            }
+
+            @Override
+            public String toString(Wrapper<?> wrapper) {
+                return wrapper != null ? wrapper.getValue().toString() : null;
+            }
+        }
+    }
+}
diff --git a/independent-projects/resteasy-reactive/server/runtime/src/main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java b/independent-projects/resteasy-reactive/server/runtime/src/main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java
index f3ef562e331b5..452207eb3770d 100644
--- a/independent-projects/resteasy-reactive/server/runtime/src/main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java
+++ b/independent-projects/resteasy-reactive/server/runtime/src/main/java/org/jboss/resteasy/reactive/server/core/startup/RuntimeResourceDeployment.java
@@ -527,6 +527,8 @@ private static void smartInitParameterConverter(int i, ParameterConverter quarku
                     Type genericType = genericArguments[0];
                     if (genericType instanceof Class) {
                         genericTypeClassName = ((Class<?>) genericType).getName();
+                    } else if (genericType instanceof ParameterizedType) {
+                        genericTypeClassName = ((ParameterizedType) genericType).getRawType().getTypeName();
                     } else if (genericType instanceof WildcardType) {
                         WildcardType genericTypeWildcardType = (WildcardType) genericType;
                         Type[] upperBounds = genericTypeWildcardType.getUpperBounds();