Red Hat Single Sign-On 7.3 Update 3 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.3. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.3 will continue until RH-SSO 7.4 is released, and at that time maintenance will be delivered on RH-SSO 7.4.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see:
Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.3 Update 2.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.2 Update 3. See the JBoss Enterprise Application Platform 7.2 Update 3 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.3 Update 3
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-10201 | Server | SAML broker does not check existence of signature on document for POST binding |
| CVE-2019-10199 | Server | CSRF check missing in My Resources functionality in the Account Console |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10865 | Adapter - Java - Wildfly (EAP 7) | Multipart upload fails when keycloak-saml-wildfly-elytron-adapter is enabled. |
| Content from issues.jboss.org is not included.KEYCLOAK-10840 | Identity Brokering | SAML broker does not check existence of signature on document for POST binding (CVE-2019-10201) |
| Content from issues.jboss.org is not included.KEYCLOAK-10779 | Authorization Services | CSRF check in My Resources (CVE-2019-10199) |
| Content from issues.jboss.org is not included.KEYCLOAK-10767 | Server | Issues in loading offline session in a cluster environment during startup |
| Content from issues.jboss.org is not included.KEYCLOAK-10309 | Protocol - SAML | Single Logout NameID ignores NameID attributes |
| Content from issues.jboss.org is not included.KEYCLOAK-10286 | Admin - Console | Change to new Red Hat logo in RH-SSO admin UI |
| Content from issues.jboss.org is not included.KEYCLOAK-10279 | Adapter - Java - Fuse, Authorization Services | Java Adapter limitation on number of resources |
| Content from issues.jboss.org is not included.KEYCLOAK-9636 | Server | Active Directory 2016 support |
Known Issues
The following are new known issues for this release. For additional known issues present see Red Hat Single Sign-On 7.3 Release Notes.
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10363 | Server | SSSD integration does not work on RHEL 8 because the JNA package is not available in the baseos repository. The JNA package is available within the codeready repository. As a workaround the "codeready-builder-for-rhel-8-x86_64-rpms" repository should be enabled by the command subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms |
| Content from issues.jboss.org is not included.KEYCLOAK-10260 | Server, Installation (Zip only) | Linux patch failure due to incorrect permissions. To fix this issue, go to the rh-sso-7.3 directory and issue this command: chmod 775 .installation |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.