JBoss Enterprise Application Platform 7.0 Update 09 Release Notes
Updated
Important: Red Hat JBoss EAP 7.0 update 9 (7.0.9) is the last maintenance release for EAP 7.0 , as such security issues (CVEs) and other bug fixes are only being fixed via cumulative patches on the latest EAP 7.x. It is recommended to move to the current version when possible to be current on security and bug fixes. Why is it recommended to keep current on JBoss EAP Updates or Cumulative Patches?
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule, targeting a new release every 6 weeks.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.0 Update 08
Download This content is not included.JBoss Enterprise Application Platform 7.0 Update 9
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2017-12167 | Server | Wrong privileges on multiple property files |
| CVE-2017-12165 | Web (Undertow) | improper whitespace parsing leading to potential HTTP request smuggling |
| CVE-2016-8656 | RPM | unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656) |
| CVE-2017-12629 | Server | Code execution via entity expansion |
| CVE-2017-2666 | Web (Undertow) | HTTP Request smuggling vulnerability |
| CVE-2016-6346 | REST | Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack |
| CVE-2017-7561 | Server | Vary header not added by CORS filter leading to cache poisoning |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-11645 | ARTEMIS-1232 deserialization black/white list are not used by regular JMS connection factories | |
| Content from issues.jboss.org is not included.JBEAP-11313 | CENTRAL_LOCK: potential deadlock after cluster split | |
| Content from issues.jboss.org is not included.JBEAP-11327 | FD_HOST doesn't print stack trace | |
| Content from issues.jboss.org is not included.JBEAP-11320 | FD_SOCK is keep trying to create a new socket to the killed server | |
| Content from issues.jboss.org is not included.JBEAP-11323 | Headers.resize() called unnecessarily | |
| Content from issues.jboss.org is not included.JBEAP-11311 | IndexOutOfBoundsException when trace logging | |
| Content from issues.jboss.org is not included.JBEAP-11319 | MERGE3: merge never happens | |
| Content from issues.jboss.org is not included.JBEAP-11326 | Request.viewChange() implementations should not use View.getMembers() | |
| Content from issues.jboss.org is not included.JBEAP-11315 | TYPE_STRING does not handle unicode | |
| Content from issues.jboss.org is not included.JBEAP-11318 | UNICAST3: bypass or remove when running over TCP | |
| Content from issues.jboss.org is not included.JBEAP-13535 | COUNTER Removed unnecessary checks on the length of ReconcileRequest/Response in streaming methods which caused a NullPointerException in their toString method. | |
| Content from issues.jboss.org is not included.JBEAP-13536 | Prevent NPE on null bundler when sending a message | |
| Content from issues.jboss.org is not included.JBEAP-13537 | TcpServer.doSend() return if output stream is null | |
| Content from issues.jboss.org is not included.JBEAP-13405 | JBJCA-1352 - IBM MQ deadlock on shutdown | |
| Content from issues.jboss.org is not included.JBEAP-13525 | RESTEasy returns wrong Content-Encoding data if client request gzip | |
| Content from issues.jboss.org is not included.JBEAP-11325 | UNICAST3 drops all messages until it receives the first one | |
| Content from issues.jboss.org is not included.JBEAP-13421 | ActiveMQ | Artemis JMS bridge does not remove vendor specific properties from message headers |
| Content from issues.jboss.org is not included.JBEAP-13627 | Clustering | Default protocol properties are not applied to legacy protocol resources |
| Content from issues.jboss.org is not included.JBEAP-6563 | Clustering | ASYM_ENCRYPT error message "key server is currently not set" should be logged with debug level |
| Content from issues.jboss.org is not included.JBEAP-12676 | Clustering | CacheRegistry is missing entries (e.g. client mappings) following a merge after a cluster split |
| Content from issues.jboss.org is not included.JBEAP-12895 | EJB | A client is not able to invoke EJB's deployed as "HASingleton deployment" [details] |
| Content from issues.jboss.org is not included.JBEAP-12105 | EJB | SSL EJB Client stuck in AbstractHandleableCloseable.close with shortlived clients and when server is disconnected from network - part 2 |
| Content from issues.jboss.org is not included.JBEAP-13433 | EJB | SSL EJB Client stuck in AbstractHandleableCloseable.close with shortlived clients and when server is disconnected from network - part 2 |
| Content from issues.jboss.org is not included.JBEAP-11659 | Hibernate | HHH-11214 HHH-11215 - Envers bugs auditing collection of embeddables [details] |
| Content from issues.jboss.org is not included.JBEAP-13436 | Hibernate | HHH-11364 Unable to populate an ElementCollection (of an embeddable type) of an audited entity when the collection has a null value for a property with JoinColumn [details] |
| Content from issues.jboss.org is not included.JBEAP-11657 | Hibernate | HHH-9199 - ValidityAuditStrategy: Collection of embeddables is not audited correctly [details] |
| Content from issues.jboss.org is not included.JBEAP-12798 | JCA | JBJCA-1354 - Potential for deadlock on pool's flush |
| Content from issues.jboss.org is not included.JBEAP-13299 | JCA | JBJCA-1355 - set-tx-query-timeout does not work when the remaining transaction timeout is shorter than one second [details] |
| Content from issues.jboss.org is not included.JBEAP-9 | Localization | Fix french translation of org.jboss.as.connector.logging.ConnectorLogger |
| Content from issues.jboss.org is not included.JBEAP-13427 | REST | Introduce property allowing GZIP interceptors to be enabled by default |
| Content from issues.jboss.org is not included.JBEAP-13406 | Remoting | REM3-309 - reworked REM3-284 to Shut down the writes AFTER the read to escape hangs when closing an unresponsive connection |
| Content from issues.jboss.org is not included.JBEAP-13432 | Remoting | Rework REM3-259 to fix synchronization issue |
| Content from issues.jboss.org is not included.JBEAP-13889 | Web (Undertow) | test HttpDeploymentUploadUnitTestCase failed with ipv6 because server gets HTTP response code 500 |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.0.9-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.0.9-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the This content is not included.JBoss EAP 7.0 Patching And Upgrading Guide
SBR
Category
Components
Article Type