Red Hat JBoss: RHSA-2019:0137-01 Moderate Security Advisory
red hat
January 22, 2019
Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.2.0, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Summary
This enhancement adds the new Red Hat JBoss Enterprise Application Platform
7.2.0 packages to Red Hat Enterprise Linux 7.
This release serves as a replacement for Red Hat JBoss Enterprise
Application Platform 7.1, and includes bug fixes and enhancements. Refer to
the Red Hat JBoss Enterprise Application Platform 7.2.0 Release Notes for
information on the most significant bug fixes and enhancements included in
this release.
All users of Red Hat JBoss Enterprise Application Platform 7.1 on Red Hat
Enterprise Linux 7 are advised to upgrade to these updated packages. The
JBoss server process must be restarted for the update to take effect.
Security Fix(es):
* picketlink: picketlink-bindings: The fix for CVE-2017-2582 breaks the
feature of attribute replacement with system property in picketlink.xml
(CVE-2017-2582)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat).
References
https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/8.1 https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/index
Package List
Red Hat JBoss EAP 7.2 for RHEL 7 Server:
Source:
eap7-1-13.el7eap.src.rpm
eap7-activemq-artemis-2.6.3-3.redhat_00014.1.el7eap.src.rpm
eap7-aesh-extensions-1.6.0-2.redhat_00001.1.el7eap.src.rpm
eap7-aesh-readline-1.10.0-1.redhat_00001.1.el7eap.src.rpm
eap7-agroal-1.3.0-1.redhat_00001.1.el7eap.src.rpm
eap7-antlr-2.7.7-54.redhat_7.1.el7eap.src.rpm
eap7-apache-commons-beanutils-1.9.3-5.redhat_1.1.el7eap.src.rpm
eap7-apache-commons-cli-1.3.1-3.redhat_2.1.el7eap.src.rpm
eap7-apache-commons-codec-1.10.0-6.redhat_5.1.el7eap.src.rpm
eap7-apache-commons-collections-3.2.2-9.redhat_2.1.el7eap.src.rpm
eap7-apache-commons-io-2.5.0-4.redhat_3.1.el7eap.src.rpm
eap7-apache-commons-lang-3.6.0-1.redhat_1.1.el7eap.src.rpm
eap7-apache-commons-lang2-2.6.0-1.redhat_7.1.el7eap.src.rpm
eap7-apache-cxf-3.2.5-3.redhat_00001.1.el7eap.src.rpm
eap7-apache-cxf-xjc-utils-3.2.2-1.redhat_00001.1.el7eap.src.rpm
eap7-apache-mime4j-0.6.0-4.redhat_7.1.el7eap.src.rpm
eap7-artemis-native-2.6.3-10.redhat_00014.el7eap.src.rpm
eap7-artemis-wildfly-integration-1.0.2-4.redhat_1.1.el7eap.src.rpm
eap7-atinject-1.0.0-3.redhat_6.1.el7eap.src.rpm
eap7-avro-1.7.6-7.redhat_2.1.el7eap.src.rpm
eap7-azure-storage-6.1.0-1.redhat_1.1.el7eap.src.rpm
eap7-bouncycastle-1.60.0-1.redhat_00001.1.el7eap.src.rpm
Read the Full Advisory
PREVIOUS 
NEXT Advisory ID: RHSA-2019:0137-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:0137
Issue date: 2019-01-22
Topic
Updated packages that provide Red Hat JBoss Enterprise Application Platform7.2.0, fix several bugs, and add various enhancements are now available forRed Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat JBoss EAP 7.2 for RHEL 7 Server - noarch, x86_64
Bugs Fixed
1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
JBEAP-12932 - Upgrade WildFly Core to 4.0.1.Final
JBEAP-13189 - Upgrade Generic JMS RA 2.0.1.Final
JBEAP-13658 - Upgrade JGroups to 3.6.15.Final
JBEAP-13867 - [Artemis upgrade] Transformer interface was changed
JBEAP-13895 - [GSS](7.2.0) Upgrade picketlink from 2.5.5.SP8 to 2.5.5.SP9
JBEAP-14222 - (EL12) Upgrade Infinispan to 9.1.6.Final to 9.1.7.Final
JBEAP-14239 - (EL12) Upgrade Artemis to 1.5.5.009-redhat-1
JBEAP-14386 - (7.2.0.EO12) Upgrade slf4j from 1.7.22.redhat-1 to 1.7.22.redhat-2
JBEAP-14415 - Upgrade WildFly Core to 4.0.1.Final-redhat-1
JBEAP-14421 - Upgrade WildFly Elytron Tool to 1.1.4.Final
JBEAP-14422 - Upgrade WildFly Elytron to 1.2.4.Final
JBEAP-14427 - Upgrade Undertow to 2.0.0.SP1
JBEAP-14475 - Tracker bug for the EAP 7.2.0 release for RHEL-7
JBEAP-14504 - Upgrade WildFly HTTP client 1.0.12.Final
JBEAP-14581 - (CD12) Upgrade FasterXML Jackson from 2.9.4.redhat-1 to 2.9.5.redhat-1
JBEAP-14811 - 7.2 - Migration Guide: Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS
JBEAP-14852 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (core)
JBEAP-14853 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (full)
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!