Red Hat: RHSA-2019-0136-01 Moderate: JBoss EAP SAML Issue
red hat
January 22, 2019
Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.2.0, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.2 on Red
Hat Enterprise Linux 6 serves as a replacement for Red Hat JBoss Enterprise
Application Platform 7.1, and includes bug fixes and enhancements, which
are documented in the Release Notes, linked to in the References.
Security Fix(es):
* picketlink: SAML request parser replaces special strings with system
properties (CVE-2017-2582)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat).
References
https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1 https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/index
Package List
Red Hat JBoss EAP 7.2 for RHEL 6 Server:
Source:
eap7-1-13.el6eap.src.rpm
eap7-activemq-artemis-2.6.3-3.redhat_00014.1.el6eap.src.rpm
eap7-aesh-extensions-1.6.0-2.redhat_00001.1.el6eap.src.rpm
eap7-aesh-readline-1.10.0-1.redhat_00001.1.el6eap.src.rpm
eap7-agroal-1.3.0-1.redhat_00001.1.el6eap.src.rpm
eap7-antlr-2.7.7-54.redhat_7.1.el6eap.src.rpm
eap7-apache-commons-beanutils-1.9.3-5.redhat_1.1.el6eap.src.rpm
eap7-apache-commons-cli-1.3.1-3.redhat_2.1.el6eap.src.rpm
eap7-apache-commons-codec-1.10.0-6.redhat_5.1.el6eap.src.rpm
eap7-apache-commons-collections-3.2.2-9.redhat_2.1.el6eap.src.rpm
eap7-apache-commons-io-2.5.0-4.redhat_3.1.el6eap.src.rpm
eap7-apache-commons-lang-3.6.0-1.redhat_1.1.el6eap.src.rpm
eap7-apache-commons-lang2-2.6.0-1.redhat_7.1.el6eap.src.rpm
eap7-apache-cxf-3.2.5-3.redhat_00001.1.el6eap.src.rpm
eap7-apache-cxf-xjc-utils-3.2.2-1.redhat_00001.1.el6eap.src.rpm
eap7-apache-mime4j-0.6.0-4.redhat_7.1.el6eap.src.rpm
eap7-artemis-native-2.6.3-10.redhat_00014.el6eap.src.rpm
eap7-artemis-wildfly-integration-1.0.2-4.redhat_1.1.el6eap.src.rpm
eap7-atinject-1.0.0-3.redhat_6.1.el6eap.src.rpm
eap7-avro-1.7.6-7.redhat_2.1.el6eap.src.rpm
eap7-azure-storage-6.1.0-1.redhat_1.1.el6eap.src.rpm
eap7-bouncycastle-1.60.0-1.redhat_00001.1.el6eap.src.rpm
Read the Full Advisory
PREVIOUS 
NEXT Advisory ID: RHSA-2019:0136-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:0136
Issue date: 2019-01-22
Topic
Updated packages that provide Red Hat JBoss Enterprise Application Platform7.2.0, fix several bugs, and add various enhancements are now available forRed Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat JBoss EAP 7.2 for RHEL 6 Server - i386, noarch, x86_64
Bugs Fixed
1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
JBEAP-12932 - Upgrade WildFly Core to 4.0.1.Final
JBEAP-13189 - Upgrade Generic JMS RA 2.0.1.Final
JBEAP-13658 - Upgrade JGroups to 3.6.15.Final
JBEAP-13867 - [Artemis upgrade] Transformer interface was changed
JBEAP-13895 - [GSS](7.2.0) Upgrade picketlink from 2.5.5.SP8 to 2.5.5.SP9
JBEAP-14222 - (EL12) Upgrade Infinispan to 9.1.6.Final to 9.1.7.Final
JBEAP-14239 - (EL12) Upgrade Artemis to 1.5.5.009-redhat-1
JBEAP-14386 - (7.2.0.EO12) Upgrade slf4j from 1.7.22.redhat-1 to 1.7.22.redhat-2
JBEAP-14415 - Upgrade WildFly Core to 4.0.1.Final-redhat-1
JBEAP-14421 - Upgrade WildFly Elytron Tool to 1.1.4.Final
JBEAP-14422 - Upgrade WildFly Elytron to 1.2.4.Final
JBEAP-14427 - Upgrade Undertow to 2.0.0.SP1
JBEAP-14474 - Tracker bug for the EAP 7.2.0 release for RHEL-6
JBEAP-14504 - Upgrade WildFly HTTP client 1.0.12.Final
JBEAP-14581 - (CD12) Upgrade FasterXML Jackson from 2.9.4.redhat-1 to 2.9.5.redhat-1
JBEAP-14811 - 7.2 - Migration Guide: Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS
JBEAP-14852 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (core)
JBEAP-14853 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (full)
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!