This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.2. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Red Hat Single Sign-On 7.3 has been released and so there are no planned additional maintenance releases for Red Hat Single Sign-On 7.2. Future maintenance releases for Red Hat Single Sign-On 7 product will continue on Hat Single Sign-On 7.3.

Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.

For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see: Red Hat Single Sign-On adapter and server compatability

This update includes all fixes and changes from Red Hat Single Sign-On 7.2 Update 05.

Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.1 Update 6. See the JBoss Enterprise Application Platform 7.1 Update 6 Release Notes for a list of changes included in that release.

This update includes fixes for the following security related issues:

ID Component Summary
CVE-2018-10934 Server CVE-2018-10934 wildfly-core: Cross-site scripting (XSS) in JBoss Management Console
CVE-2018-1000632 Server CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents
CVE-2018-14642 Server CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer

This update includes the following bug fixes or changes:

ID Component Summary
KEYCLOAK-9068 Protocol - SAML IDP-initiated-flow is not working with REDIRECT binding
KEYCLOAK-7936 Adapter - Java Simultaneous adapter node registration encounters an error in RH-SSO
KEYCLOAK-9169 Server, Identity Brokering Update Google identity provider endpoints. Replacing discontinued Google+ Sign-In with Google's replacement.
KEYCLOAK-9185 Server, Identity Brokering Update LinkedIn social login provider to use new v2 user profile APIs before existing API is discontinued.
KEYCLOAK-7246 Server Disable auto completion for user account New Password and Password Confirmation fields
KEYCLOAK-8756 Server It is not possible to verify email for already logged in user
KEYCLOAK-8731 Server "Not Recently Used" Password Policy value changing from high value to 1 causes a latency on user password change
KEYCLOAK-5052 User Federation - LDAP LDAP group names containing "/" in the name violates SIBILING_NAME constraint in db

Installation

For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.2 Patching And Upgrading Guide.

The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.