JBoss Enterprise Application Platform 7.1 Update 1 Release Notes
Updated
Important: This update is not the latest cumulative patch, it is recommended to apply the latest update, see these links for the latest:
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule, targeting a new release every 6 weeks.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2017-12196 | Security | client can use bogus uri in digest authentication |
| CVE-2017-12174 | Server | artemis: memory exhaustion via UDP and JGroups discovery |
| CVE-2017-15089 | Server | infinispan: Unsafe deserialization of malicious object injected into data cache |
| CVE-2017-15095 | Server | jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) |
| CVE-2017-7561 | Server | resteasy: Vary header not added by CORS filter leading to cache poisoning |
| CVE-2018-1048 | Web (Undertow) | ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser |
| CVE-2017-17485 | Server | jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) |
| CVE-2018-5968 | Server | jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-14158 | WEJBHTTP-14 - Host header should include correct port information | |
| Content from issues.jboss.org is not included.JBEAP-13184 | ActiveMQ | AMQ154003: Unable to reconnect org.apache.activemq.artemis.ra.inflow.ActiveMQActivationSpec(ra=org.apache.activemq.artemis.ra.ActiveMQResourceAdapter@3ca2957 destination=inQueue |
| Content from issues.jboss.org is not included.JBEAP-13794 | ActiveMQ | javax.naming.InvalidNameException: WFNAM00007: Invalid URL scheme name "null" when jms bridge is trying to do remote lookup on EAP6 |
| Content from issues.jboss.org is not included.JBEAP-13725 | Clustering | Requesting TRANSACTIONAL cache concurrency strategy but the cache is not configured as transactional. [details] |
| Content from issues.jboss.org is not included.JBEAP-13170 | Domain Management | Incorrect WARN in DC log for remoting endpoint resource transformation to EAP 6 |
| Content from issues.jboss.org is not included.JBEAP-13389 | Domain Management | Management returning success for read-attribute on non-existent path |
| Content from issues.jboss.org is not included.JBEAP-13934 | Domain Management | Unable to set multiple ssl protocols and ciphers on security-realms using system properties |
| Content from issues.jboss.org is not included.JBEAP-13925 | EE | Apostrophe in an attribute with multiple EL parts breaks function lookup |
| Content from issues.jboss.org is not included.JBEAP-13295 | EJB | Unable to deploy clustered ejb in a mixed domain. |
| Content from issues.jboss.org is not included.JBEAP-13660 | EJB | ClassCastException when invoking EJB Remote Interface where Interface is in shared classloader but result is not |
| Content from issues.jboss.org is not included.JBEAP-13682 | EJB | Default SFSB Lifecycle methods transaction attribute causing warnings |
| Content from issues.jboss.org is not included.JBEAP-13753 | EJB | EJB Timer is not fired during the ambiguous hour during the switch from summer to winter times [details] |
| Content from issues.jboss.org is not included.JBEAP-13939 | EJB | Server should verify EJB business methods during deployment and reject |
| Content from issues.jboss.org is not included.JBEAP-14151 | Hibernate | HHH-11634 HHH-11768 HHH-11714 HHH-11996 Bugs using hibernate.order_inserts=true |
| Content from issues.jboss.org is not included.JBEAP-14121 | Hibernate | HHH-12233 NPE in CacheImpl |
| Content from issues.jboss.org is not included.JBEAP-13386 | Hibernate | HHH-11364 Unable to populate an ElementCollection (of an embeddable type) of an audited entity when the collection has a null value for a property with JoinColumn [details] |
| Content from issues.jboss.org is not included.JBEAP-12906 | Hibernate | HHH-11957 DB2Dialect override for substring hides DB2 method [details] |
| Content from issues.jboss.org is not included.JBEAP-13032 | Hibernate | HHH-11970 Use of @NotFound(IGNORE) and @BatchSize when there are unresolved foreign key values results in extra queries |
| Content from issues.jboss.org is not included.JBEAP-13683 | Hibernate | HHH-12075 Hibernate SQLQuery#executeUpdate() does not invoke Statement#setQueryTimeout() [details] |
| Content from issues.jboss.org is not included.JBEAP-13880 | Hibernate | HHH-4959 HHH-11377: Concurrent HQL parsing blocks on ReflectHelper.classForName() [details] |
| Content from issues.jboss.org is not included.JBEAP-12679 | Hibernate | HHH-11915 DatabaseMetaData#getIndexInfo can return column names enclosed in quotes on PostgresPlus |
| Content from issues.jboss.org is not included.JBEAP-12697 | JCA | Changing the max-pool-size of the datasource pool should indicate a "reload required" in the CLI output |
| Content from issues.jboss.org is not included.JBEAP-13300 | JCA | set-tx-query-timeout does not work when the remaining transaction timeout is shorter than one second [details] |
| Content from issues.jboss.org is not included.JBEAP-13806 | JPA / Hibernate | HHH-10418 Unable to share single cache region with entity and collection |
| Content from issues.jboss.org is not included.JBEAP-13902 | Logging | LOGMGR-154 - Log rotations should be more resilient to failed rotations [details] |
| Content from issues.jboss.org is not included.JBEAP-13502 | Logging | Not able to separate application(EAR) logging with the use of logging profile |
| Content from issues.jboss.org is not included.JBEAP-11756 | REST | ComprehensiveJaxrsTest fails intermitently with IllegalStateException |
| Content from issues.jboss.org is not included.JBEAP-13475 | REST | RESTEASY-1735 - RESTEasy returns wrong Content-Encoding data if client request gzip |
| Content from issues.jboss.org is not included.JBEAP-13426 | REST | RESTEASY-1728 - Introduce property allowing GZIP interceptors to be enabled by default |
| Content from issues.jboss.org is not included.JBEAP-13909 | REST | RESTEASY-1763 - Wrong request matching to literal path |
| Content from issues.jboss.org is not included.JBEAP-13928 | REST | RESTEASY-1765 - Remove q-qs parameters from header Content-type in responses |
| Content from issues.jboss.org is not included.JBEAP-9953 | REST | RESTEASY-1638 - Permission check failed when creating instance of resteasy client |
| Content from issues.jboss.org is not included.JBEAP-14193 | RPM | RPM - Setting JAVA_HOME not effective in RHEL-6 init scripts |
| Content from issues.jboss.org is not included.JBEAP-8935 | RPM | RPM: wildfly-modules creates unowned directory |
| Content from issues.jboss.org is not included.JBEAP-13983 | Scripts | Startup error when started as system service |
| Content from issues.jboss.org is not included.JBEAP-2090 | Security | Some SSL_* cipher suites not working in EAP7 |
| Content from issues.jboss.org is not included.JBEAP-5038 | Security | EAP responds with 403 except of 401 on IBM java with Kerberos |
| Content from issues.jboss.org is not included.JBEAP-13116 | Security | ERROR in logs while using vault in system properties |
| Content from issues.jboss.org is not included.JBEAP-13855 | Security | SAML2STSLoginModule cannot be configured with module options instead of configFile |
| Content from issues.jboss.org is not included.JBEAP-13878 | Security | The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml |
| Content from issues.jboss.org is not included.JBEAP-13094 | Server | module defined in jboss-deployment-structure.xml with fails to parse when annotations=true |
| Content from issues.jboss.org is not included.JBEAP-14007 | Transactions | Ensure that we only recover subordinate orphan Xids for servers that this server is configured for |
| Content from issues.jboss.org is not included.JBEAP-14093 | Web (Undertow) | '%v' field of AccessLog includes port in logged server name |
| Content from issues.jboss.org is not included.JBEAP-14089 | Web (Undertow) | UNDERTOW-1193 - Mixing + and %20 in URL paths befuddles path parsing |
| Content from issues.jboss.org is not included.JBEAP-13710 | Web (Undertow) | UNDERTOW-1185 - Undertow does not allow UTF-8 characters in URLs |
| Content from issues.jboss.org is not included.JBEAP-13829 | Web (Undertow) | JSP compilation fails if we have same Class and package names(differs only on case) |
| Content from issues.jboss.org is not included.JBEAP-12678 | Web (Undertow) | UNDERTOW-1132 - Filter.doFilter() is executed before Servlet.init() in Undertow while JBoss Web is the opposite [details] |
| Content from issues.jboss.org is not included.JBEAP-12806 | Web (Undertow) | UNDERTOW-1163 - EAP 7/Undertow does not treat comma (,) as Cookie delimiter [details] |
| Content from issues.jboss.org is not included.JBEAP-13751 | Web (Undertow) | UNDERTOW-1221 - url-charset="MS949" did not work in ajp-listener |
| Content from issues.jboss.org is not included.JBEAP-13907 | Web (Undertow) | UNDERTOW-1240 - Access log only logs first occurrence of a header |
| Content from issues.jboss.org is not included.JBEAP-13919 | Web (Undertow) | UNDERTOW-1241 - record-request-start-time does not work for HTTP/2 |
| Content from issues.jboss.org is not included.JBEAP-14023 | Web (Undertow) | UNDERTOW-1248 - Add %{RESPONSE_TIME_MICROS} as a supported attribute |
| Content from issues.jboss.org is not included.JBEAP-14075 | Web (Undertow) | UNDERTOW-1262 Cross context session id propagation does not work if the session is new |
| Content from issues.jboss.org is not included.JBEAP-14144 | Web (Undertow) | UNDERTOW-1266 - CanonicalPathUtils should handle both backslash and forward slash |
| Content from issues.jboss.org is not included.JBEAP-14169 | Web (Undertow) | UNDERTOW-1274 Cross context session creation should not set a cookie, but rely on the original contexts cookie |
| Content from issues.jboss.org is not included.JBEAP-13933 | Web Console | User redirected with HTTP 301 instead of 302 in admin-only mode |
| Content from issues.jboss.org is not included.JBEAP-14155 | Web Services | WSDL system property expansion not working on endpoint address |
| Content from issues.jboss.org is not included.JBEAP-13882 | Web Services | "SAAJ0303: Operation getFaultSubcodes not supported by SOAP 1.1" is logged when SOAPFaultException is thrown |
| Content from issues.jboss.org is not included.JBEAP-12672 | Web Services | POJO WS not defaulting to Undertow default-security-domain |
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.1.1-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.1.1-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the This content is not included.JBoss EAP 7.1 Patching And Upgrading Guide
SBR
Category
Components
Article Type