Red Hat Single Sign-On 7.3 Update 2 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.3. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.3 will continue until RH-SSO 7.4 is released, and at that time maintenance will be delivered on RH-SSO 7.4.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see:
Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.3 Update 1.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.2 Update 2. See the JBoss Enterprise Application Platform 7.2 Update 2 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.3 Update 2
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-3875 | Server | X.509 authentication: CRL signatures are not verified |
| CVE-2019-8331 | Server | In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ |
| CVE-2018-20676 | Server | In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. |
| CVE-2018-20677 | Server | In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. |
| CVE-2016-10735 | Server | In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute. Note that this is a different vulnerability than CVE-2018-14041. |
| CVE-2018-14041 | Server | In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy. This is similar to CVE-2018-14042. |
| CVE-2019-11358 | Server | jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype. |
| CVE-2019-10157 | Adapter - nodejs | keycloak: Node.js adapter internal NBF can be manipulated [rhsso-7.3.0] |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-9678 | Protocol - SAML | SAML Attribute/Claim to Role mapper can't find roles with "." in their name |
| Content from issues.jboss.org is not included.KEYCLOAK-9973 | Client - SAML | Make IDP URL in keycloak-saml.xml configurable |
| Content from issues.jboss.org is not included.KEYCLOAK-9971 | Server | Map user by Subject Alternative Name - otherName |
| Content from issues.jboss.org is not included.KEYCLOAK-10196 | Server | Add Primary Key Constraint into RESOURCE_URIS table |
| Content from issues.jboss.org is not included.KEYCLOAK-10184 | Server (Openshift) | Update RH-SSO documentation with steps to connect to an external database |
| Content from issues.jboss.org is not included.KEYCLOAK-10188 | Admin - Console | Large SSO Session Idle/SSO Session Max causes login failure |
| Content from issues.jboss.org is not included.KEYCLOAK-9949 | Server | Include x.509 data in audit logs |
| Content from issues.jboss.org is not included.KEYCLOAK-9974 | Server | "user-attribute-ldap-mapper" is not propagating the change of "username" (uid ) attribute. |
| Content from issues.jboss.org is not included.KEYCLOAK-9972 | Server | Support multiple CRLs |
| Content from issues.jboss.org is not included.KEYCLOAK-10211 | Server (RPM release only) | libunix-dbus-java is missing for rhel8 |
| Content from issues.jboss.org is not included.KEYCLOAK-10238 | Documentation | Securing Applications and Services Guide is missing adapter installation on RHEL8 |
| Content from issues.jboss.org is not included.KEYCLOAK-10239 | Documentation | Obsolete package names in rpm installation section of the Securing Applications and Services Guide |
Note: although KEYCLOAK-10211 did resolve the missing libunix-dbus-java package, there is another issue preventing SSSD integration from working on RHEL8. See Known Issues for additional details and a workaround.
Known Issues
The following are new known issues for this release. For additional known issues present see Red Hat Single Sign-On 7.3 Release Notes.
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10363 | Server | SSSD integration does not work on RHEL 8 because the JNA package is not available in the baseos repository. The JNA package is available within the codeready repository. As a workaround the "codeready-builder-for-rhel-8-x86_64-rpms" repository should be enabled by the command subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms |
| Content from issues.jboss.org is not included.KEYCLOAK-10260 | Installation (Zip only) | Linux patch failure due to incorrect permissions. To fix this issue, go to the rh-sso-7.3 directory and issue this command: chmod 775 .installation |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.