This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.2. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Red Hat Single Sign-On 7.3 has been released and so there are no planned additional maintenance releases for Red Hat Single Sign-On 7.2. Future maintenance releases for Red Hat Single Sign-On 7 product will continue on Hat Single Sign-On 7.3.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see: Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.2 Update 05.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.1 Update 6. See the JBoss Enterprise Application Platform 7.1 Update 6 Release Notes for a list of changes included in that release.
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-10934 | Server | CVE-2018-10934 wildfly-core: Cross-site scripting (XSS) in JBoss Management Console |
| CVE-2018-1000632 | Server | CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents |
| CVE-2018-14642 | Server | CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| KEYCLOAK-9068 | Protocol - SAML | IDP-initiated-flow is not working with REDIRECT binding |
| KEYCLOAK-7936 | Adapter - Java | Simultaneous adapter node registration encounters an error in RH-SSO |
| KEYCLOAK-9169 | Server, Identity Brokering | Update Google identity provider endpoints. Replacing discontinued Google+ Sign-In with Google's replacement. |
| KEYCLOAK-9185 | Server, Identity Brokering | Update LinkedIn social login provider to use new v2 user profile APIs before existing API is discontinued. |
| KEYCLOAK-7246 | Server | Disable auto completion for user account New Password and Password Confirmation fields |
| KEYCLOAK-8756 | Server | It is not possible to verify email for already logged in user |
| KEYCLOAK-8731 | Server | "Not Recently Used" Password Policy value changing from high value to 1 causes a latency on user password change |
| KEYCLOAK-5052 | User Federation - LDAP | LDAP group names containing "/" in the name violates SIBILING_NAME constraint in db |
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.2 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.