JBoss Fuse Integration Services on Fuse 6.3 Patch Release Notes
Updated
This article provides the details around our JBoss Fuse Integration Services patches.
The intention of this article is provide the details on the relevant releases that you may need to apply the maintenance as well as document the associated fixes. For information on how to apply the patches, please refer to the Patching Documentation.
These patches may have three different components and each will detail the issues resolved:
Application Dependency Updates
Image Updates
Template Updates
Patch releases are typically driven by application dependency updates. The following table highlights the relationship between the different versions. Note images may be released outside of a major patch release and will be documented in the Image Updates section.
Versions
This section documents the versions for the different components for major patch releases.
Application Dependencies
The following table lists the patches specific to FIS that have been addressed in the varying release as well as a link to the Fuse rollup release notes.
| Type | JIRA | description |
| 6.3 R14 | R14 Release Notes | Issues resolved in Fuse 6.3 R14 |
| Content from issues.jboss.org is not included.ENTESB-8509 | CVE-2017-15089 infinispan-core: infinispan: Unsafe deserialization of malicious object injected into data cache | |
| Content from issues.jboss.org is not included.ENTESB-11664 | Wrong infinispan version in camel-infinispan in Camel 2.18.1 | |
| 6.3 R13 | R13 Release Notes | Issues resolved in Fuse 6.3 R13 |
| Content from issues.jboss.org is not included.ENTESB-10662 | CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis | |
| Content from issues.jboss.org is not included.ENTESB-10661 | CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library | |
| Content from issues.jboss.org is not included.ENTESB-10660 | CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver | |
| Content from issues.jboss.org is not included.ENTESB-10659 | CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class | |
| Content from issues.jboss.org is not included.ENTESB-10658 | CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class | |
| Content from issues.jboss.org is not included.ENTESB-10657 | CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class | |
| Content from issues.jboss.org is not included.ENTESB-10656 | CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes | |
| Content from issues.jboss.org is not included.ENTESB-10655 | CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class | |
| Content from issues.jboss.org is not included.ENTESB-10904 | CVE: python update - RHSA: 43130 | |
| Content from issues.jboss.org is not included.ENTESB-10919 | CVE: vim update RHSA: 43265 | |
| Content from issues.jboss.org is not included.ENTESB-11734 | Wrong version of jackson-databind in camel-spring-boot BOM | |
| Content from issues.jboss.org is not included.ENTESB-11714 | spring-boot-camel-rest-sql-1.0.0.fuse-000169 limits service name | |
| Content from issues.jboss.org is not included.ENTESB-11709 | Wrong jackson-databind version in FIS 2.0 based on R13 | |
| Content from issues.jboss.org is not included.ENTESB-8615 | CVE-2016-5397 libthrift: thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands | |
| 6.3 R11 | R11 Release Notes | Issues resolved in Fuse 6.3 R11 |
| Content from issues.jboss.org is not included.ENTESB-9951 | CXFRS header "CamelDestinationOverrideUrl" stops working, after changing it twice | |
| Content from issues.jboss.org is not included.ENTESB-10252 | no_proxy in jvm argument not honoured in FIS Image | |
| 6.3 R10 | R10 Release Notes | Issues resolved in Fuse 6.3 R10 |
| Content from issues.jboss.org is not included.ENTESB-8757 | CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution | |
| Content from issues.jboss.org is not included.ENTESB-8555 | CVE-2018-1000129 jolokia-core: jolokia: Cross site scripting in the HTTP servlet | |
| Content from issues.jboss.org is not included.ENTESB-8481 | CVE-2017-5929 logback-classic: logback: Serialization vulnerability in SocketServer and ServerSocketReceiver | |
| 6.3 R8 | R8 Release Notes | Issues resolved in Fuse 6.3 R8 |
| Content from issues.jboss.org is not included.ENTESB-9009 | Publish Narayana artifacts for spring-boot in MRRC | |
| Content from issues.jboss.org is not included.ENTESB-8314 | CVE-2018-1304 tomcat8: tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources | |
| Content from issues.jboss.org is not included.ENTESB-8312 | CVE-2018-1305 tomcat8: tomcat: Late application of security constraints can lead to resource exposure for unauthorised users | |
| Content from issues.jboss.org is not included.ENTESB-7949 | CVE-2018-1270 spring: spring-framework: Possible RCE via spring messaging | |
| Content from issues.jboss.org is not included.ENTESB-7950 | CVE-2018-1275 spring: spring-framework: Address partial fix for CVE-2018-1270 | |
| Content from issues.jboss.org is not included.ENTESB-8552 | CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries | |
| Content from issues.jboss.org is not included.OSFUSE-770 | CVE-2018-1305 tomcat8: tomcat: Late application of security constraints can lead to resource exposure for unauthorised users | |
| Content from issues.jboss.org is not included.OSFUSE-802 | CVE-2018-1270 spring: spring-framework: Possible RCE via spring messaging | |
| Content from issues.jboss.org is not included.OSFUSE-823 | jetty: Timing channel attack in util/security/Password.java | |
| Content from issues.jboss.org is not included.OSFUSE-804 | spring: spring-framework: Multipart content pollution | |
| Content from issues.jboss.org is not included.OSFUSE-769 | tomcat8: tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources | |
| Content from issues.jboss.org is not included.OSFUSE-832 | CVE-2018-1271 spring: spring-framework: Directory traversal vulnerability with static resources on Windows filesystems | |
| Content from issues.jboss.org is not included.OSFUSE-765 | Can't specify camel REST producer target URI in FIS | |
| Content from issues.jboss.org is not included.ENTESB-8704 | CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process | |
| Content from issues.jboss.org is not included.ENTESB-9071 | EMBARGOED plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file | |
| Content from issues.jboss.org is not included.ENTESB-7407 | XSLT fails if the XML document contains a default namespace | |
| Content from issues.jboss.org is not included.ENTESB-9141 | karaf2-cxf-rest - NoSuchMethodError: BeanConfig.setUsePathBasedConfig(Z)V | |
| Content from issues.jboss.org is not included.ENTESB-9133 | activemq-camel gives NoClassDefFoundError: MessageHandlerMethodFactory | |
| Content from issues.jboss.org is not included.ENTESB-9262 | CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 | |
| Content from issues.jboss.org is not included.ENTESB-9295 | CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS | |
| Content from issues.jboss.org is not included.ENTESB-9497 | Regression between R7 and R8 - missing slf4j in BOM | |
| 6.3 R7 | R7 Release Notes | Issues resolved in Fuse 6.3 R7 |
| Content from issues.jboss.org is not included.ENTESB-8536 | Quickstarts fail with OOM | |
| Content from issues.jboss.org is not included.ENTESB-8308 | CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code | |
| Content from issues.jboss.org is not included.ENTESB-8456 | CVE-2018-1199 spring: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fis-2.0] | |
| Content from issues.jboss.org is not included.ENTESB-8741 | Backport CAMEL-11229 | |
| Content from issues.jboss.org is not included.ENTESB-8682 | CVE-2018-1295 ignite-core: ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints [fis-2.0] | |
| Content from issues.jboss.org is not included.ENTESB-8569 | CVE-2018-9159 spark-core: spark: Absolute and relative pathnames allow for unintended static file disclosure [fis-2.0] | |
| Content from issues.jboss.org is not included.ENTESB-8506 | CVE-2017-12196 Undertow: Client can use bogus uri in Digest authentication [fis-2.0] | |
| Content from issues.jboss.org is not included.ENTESB-8609 | Camel Jasypt Encryption support in Spring Boot. | |
| Content from issues.jboss.org is not included.ENTESB-7950 | CVE-2018-1275 spring: spring-framework: Address partial fix for CVE-2018-1270 [fuse-6.3.0] | |
| Content from issues.jboss.org is not included.ENTESB-9133 | activemq-camel gives NoClassDefFoundError: MessageHandlerMethodFactory | |
| 6.3 R6 | R6 Release Notes | Issues resolved in Fuse 6.3 R6 |
| Content from issues.jboss.org is not included.OSFUSE-655 | [OCP 3.7] fabric8 client HorizontalPodAutoscaler returns 404 on OCP 3.7 | |
| Content from issues.jboss.org is not included.OSFUSE-718 | [OSO][OCP 3.7] f-m-p redeployments failing to deploy | |
| Content from issues.jboss.org is not included.OSFUSE-734 | Backport CAMEL-11622 feature to FIS 2.0 | |
| Content from issues.jboss.org is not included.OSFUSE-786 | Add openshift.io/display-name annotation to quickstart templates | |
| Content from issues.jboss.org is not included.OSFUSE-787 | Update quickstart template icon-class to icon-rh-integration | |
| 6.3 R5 | R5 Release Notes | Issues resolved in Fuse 6.3 R5 |
| Content from issues.jboss.org is not included.OSFUSE-633 | Update documentation / quickstarts to use AMQ 6.3 image instead of the deprecated AMQ 6.2 image | |
| Content from issues.jboss.org is not included.OSFUSE-641 | Diff between karaf feature bundle commons-codec version and pom version | |
| Content from issues.jboss.org is not included.OSFUSE-645 | UIntegrate Camel 2.19.1 with FIS 2.x because of ThrottlingExceptionRoutePoli | |
| Content from issues.jboss.org is not included.OSFUSE-689 | Update FIS 2.0 images to address OSOP memory limitations | |
| 6.3 R4 | R4 Release Notes | Issues resolved in Fuse 6.3 R4 |
| Content from issues.jboss.org is not included.OSFUSE-545 | Archetypes don't contain configuration/settings.xml | |
| Content from issues.jboss.org is not included.OSFUSE-555 | f-m-p misleading log warning if oc binary is missing | |
| Content from issues.jboss.org is not included.OSFUSE-577 | Upgrade Jolokia to 1.3.6 | |
| Content from issues.jboss.org is not included.OSFUSE-558 | [maven-repo] Missing org.apache.tomcat.embed:tomcat-embed-jasper:jar:8.0.36.redhat-14 | |
| Content from issues.jboss.org is not included.OSFUSE-579 | FMP Karaf binary s2i-built image from Windows fails on startup exec: /deployments/karaf/bin/karaf: cannot execute: Permission denied | |
| Content from issues.jboss.org is not included.OSFUSE-588 | - XML Routes do not load when a camel component id is similar to a camel component definition id | |
| Content from issues.jboss.org is not included.OSFUSE-596 | Including configuration/settings.xml in FIS Maven archetypes | |
| Content from issues.jboss.org is not included.OSFUSE-600 | Update Camel SQL-Stored component to allow for stored functions | |
| Content from issues.jboss.org is not included.OSFUSE-619 | SB apps have shrinkwrap jars in them | |
| Content from issues.jboss.org is not included.OSFUSE-605 | - f-m-p stuck in waitUntilBuildFinished | |
| Content from issues.jboss.org is not included.OSFUSE-560 | editing karaf camel route XML via hawtio console creates a broken XML with xmlns:xmlns | |
| Content from issues.jboss.org is not included.OSFUSE-657 | Bump tomcat version | |
| 6.3 R2 | R2 Release Notes | Issues resloved in 6.3 R2 |
| Content from issues.jboss.org is not included.OSFUSE-601 | Update POM Files to use GA version of TomCat | |
| Content from issues.jboss.org is not included.OSFUSE-572 | camel-salesforce: backport streaming improvements | |
| Content from issues.jboss.org is not included.OSFUSE-573 | camel-salesforce: backport Composite API support | |
| Content from issues.jboss.org is not included.OSFUSE-577 | Upgrade Jolokia to 1.3.6 | |
| Content from issues.jboss.org is not included.OSFUSE-537 | CXF templates lack Routes | |
| Content from issues.jboss.org is not included.OSFUSE-545 | | Archetypes don't contain configuration/settings.xml | |
| Content from issues.jboss.org is not included.OSFUSE-555 | f-m-p misleading log warning if oc binary is missing | |
| Content from issues.jboss.org is not included.OSFUSE-545 | Improve error feedback when the targeted docker registry is not secured and not configured as such instead of just "An error has occurred. Stream Closed" |
Image Updates
This section is to document images update. Image updates are tracked through the Red Hat erratas. In some occasions images may be updated outside of a patch cycle to incorporate important fixes or security updates. Aside from checking this document or the container catalog, you may also get notifications about updates directly by completing This content is not included. this form..
Template Updates
Templates are rebased on the latest rollup and you'll need to update them each time so that so that new projects created with the these templates will use the correct versions.
This article provideds the details around our JBoss Fuse Integration Services patches.
SBR
Product(s)
Category
Components
Tags
Article Type