JBoss Enterprise Application Platform 6.4 Update 20 Release Notes
Important: This update is not the latest cumulative patch, it is recommended to apply the latest update, see these links for the latest:
In order to better meet customer expectations, micro releases for JBoss EAP 6 have been discontinued and replaced with updates delivered on a repeating schedule, targeting a new release every 6 weeks.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
Note: JBoss EAP 6.4 Update 20 (or later) requires 6.4 Update 19 to be applied first see this article for more information.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from This content is not included.JBoss EAP 6.4 Update 19 / Release Notes
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2016-4978 | HornetQ | hornetq: Deserialization of untrusted input vulnerability |
| CVE-2017-3163 | jbossas | solr-core: solr: Directory traversal via Index Replication HTTP API |
| CVE-2017-17485 | jbossas | resteasy: jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) |
| CVE-2018-8088 | jbossas | slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution |
| CVE-2018-7489 | jbossas | jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries |
| CVE-2017-15095 | jbossas | jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) [important details] - setting whitelist for classes to allow deserialization |
| CVE-2018-1304 | jbossas | jbossweb: tomcat: Incorrect handling of empty string URL in security constraints can lead to unitended exposure of resources |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.1463387 | Clustering | resolve or reduce log level for RequestCorrelator "channel is not connected" error during shutdown |
| This content is not included.1523011 | Domain Management | replace-deployment command not working as expected in domain mode |
| This content is not included.1405954 | JCA | Changing the max-pool-size of the datasource pool should indicate a "reload required" in the CLI output |
| This content is not included.1410924 | Scripts and Commands | Incorrect JBOSS_HOME warning in vault.sh |
| This content is not included.1510010 | Security | NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration [details] |
| This content is not included.1352418 | Security | The fix for BZ1243553 breaks PolicyContext("javax.security.auth.subject.container") in CXF web service with STS |
| This content is not included.1527146 | Transaction Manager | Ensure that we only recover subordinate orphan Xids for servers that this server is configured for |
| This content is not included.1520539 | Web | AccessLogValve only logs first occurrence of a request header |
| This content is not included.1521012 | Web | default-session-timeout doesn't apply to apps containing session-config [details] |
| This content is not included.1494329 | Web | NullPointerException during JMX query on undeployed application |
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-6.4.20-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-6.4.20-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the This content is not included.JBoss EAP 6.4 Installation Guide