JBoss Enterprise Application Platform 7.2 Update 5 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 04
Download This content is not included.JBoss Enterprise Application Platform 7.2 Update 5
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-9515 | Management | HTTP/2: flood using SETTINGS frames results in unbounded memory growth |
| CVE-2019-14843 | Security Manager | wildfly-security-manager: security manager authorization bypass |
| CVE-2019-9512 | Management | HTTP/2: flood using PING frames results in unbounded memory growth |
| CVE-2019-14838 | Management | Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default |
| CVE-2019-9511 | Management | HTTP/2: large amount of data requests leads to denial of service |
| CVE-2019-9514 | Management | HTTP/2: flood using HEADERS frames results in unbounded memory growth:wq |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-17532 | HHH-13611 Restore EntityMetamodel constructor to take SessionFactoryImplementor argument instead of PersisterCreationContext. | |
| Content from issues.jboss.org is not included.JBEAP-17372 | RESTEASY-2027 - PatchMethodFilter doesn't handle request of MediaType application/json-patch+json if MediaType have argument | |
| Content from issues.jboss.org is not included.JBEAP-17125 | RESTEASY-2281 - PatchMethodFilter not using provided ObjectMapper | |
| Content from issues.jboss.org is not included.JBEAP-17222 | resteasy-jaxrs is missing dependency to microprofile-config-api | |
| Content from issues.jboss.org is not included.JBEAP-17152 | CLI | jboss-cli.sh does not error on invalid options such as --controler |
| Content from issues.jboss.org is not included.JBEAP-15985 | Clustering | NullPointerException in processing EJB request at shutdown |
| Content from issues.jboss.org is not included.JBEAP-17412 | Concurrency Utilities | ManagedExecutorService keeping references on undeploy/deploy |
| Content from issues.jboss.org is not included.JBEAP-17458 | EJB | Timely topology changes can defer expiration of distributed SFSB |
| Content from issues.jboss.org is not included.JBEAP-17269 | EJB | WFLY-12321 - Use a single non-cancelling task per bean manager for tracking passivation expiration |
| Content from issues.jboss.org is not included.JBEAP-17721 | EJB | EJB/JNDI over HTTP-Invoker Throws CommunicationException instead of AuthenticationException [details] |
| Content from issues.jboss.org is not included.JBEAP-16940 | EJB | Out of specification: Singleton EJB is allowed to implement SessionBean interface. [details] |
| Content from issues.jboss.org is not included.JBEAP-17376 | EJB | Single action timer is not triggered automatically after a DB outage, requires server restart |
| Content from issues.jboss.org is not included.JBEAP-17086 | EJB | UNDERTOW-1580 - Improve EJB over HTTPS logging |
| Content from issues.jboss.org is not included.JBEAP-17270 | EJB | WFLY-12322 - Avoid redispatching to a worker the ejb call if it is async (at AssociationImpl) |
| Content from issues.jboss.org is not included.JBEAP-17164 | Generic JMS RA | WFLY-12415 - Complete message object visible in ERROR at org.jboss.resource.adapter.jms.inflow.JmsServerSession |
| Content from issues.jboss.org is not included.JBEAP-17471 | Hibernate | HHH-13592 AutoFlushEvent#isFlushRequired is always false |
| Content from issues.jboss.org is not included.JBEAP-17525 | Hibernate | HHH-13607 Exception thrown while flushing uninitialized enhanced proxy with immutable natural ID |
| Content from issues.jboss.org is not included.JBEAP-17485 | Hibernate | HHH-12968 Persist fails when using JOINED Inheritance with batch_size > 1 and legacy ID generation [details] |
| Content from issues.jboss.org is not included.JBEAP-17418 | Hibernate | HHH-13586: ClassCastException when using a single region name for both entity and query results [details] |
| Content from issues.jboss.org is not included.JBEAP-16800 | JCA | TCCL is not set to datasource module in datasource constructor |
| Content from issues.jboss.org is not included.JBEAP-16507 | JCA | JBJCA-1392 - Need to add checkTransaction handling for unwrap connection |
| Content from issues.jboss.org is not included.JBEAP-17549 | JSF | Memory leak in FlashScope - expired elements are not cleared |
| Content from issues.jboss.org is not included.JBEAP-17883 | Logging | Ensure the log manager is set for tests for Eclipse OpenJ9 |
| Content from issues.jboss.org is not included.JBEAP-17607 | MSC | Additional fixes for MSC-245 - ServiceContainerImpl.registry is leaking memory resources |
| Content from issues.jboss.org is not included.JBEAP-17511 | Management | JGroups get modified in a wrong way after cli command |
| Content from issues.jboss.org is not included.JBEAP-16505 | Management | Need to disable console error page by console-enabled |
| Content from issues.jboss.org is not included.JBEAP-16475 | REST | Rest Client fails to convert a single boolean value |
| Content from issues.jboss.org is not included.JBEAP-17580 | REST | RESTEASY-2249 @PostConstruct on @ApplicationScoped bean called too late in case a non public @PostConstruct method is present |
| Content from issues.jboss.org is not included.JBEAP-17711 | Remoting | Introduce alternative queued acceptor to fix XNIO-258 XNIO-286 XNIO-335 XNIO-265 [details] |
| Content from issues.jboss.org is not included.JBEAP-17879 | Scripts | '-Xlog:gc' option is not supported on OpenJDK11 + OpenJ9 |
| Content from issues.jboss.org is not included.JBEAP-17522 | Security | WFLY-12572 / SECURITY-1005 - Improve credential and role group |
| Content from issues.jboss.org is not included.JBEAP-17468 | Security | ELY-1872 - elytron-tool.sh usage with symbolic links |
| Content from issues.jboss.org is not included.JBEAP-17467 | Security | WFLY-12569 - File UploadMultipart does not work when PicketLink SSO is enabled |
| Content from issues.jboss.org is not included.JBEAP-17662 | Web (Undertow) | WFCORE-4699 - preferIPv6Addresses and preferIPv4Stack System Properties are Mishandled in the Config [details] |
| Content from issues.jboss.org is not included.JBEAP-17009 | Web (Undertow) | UNDERTOW-1554 - Improve handling and leniency of bad POST parameters |
| Content from issues.jboss.org is not included.JBEAP-17818 | Web (Undertow) | Undertow http-listener max-connections attribute no longer causes additional connections to be rejected |
| Content from issues.jboss.org is not included.JBEAP-17469 | Web Console | Not able to view log files in admin console if its created via logging-profile |
| Content from issues.jboss.org is not included.JBEAP-17375 | Web Services | WS-Security in combination with MTOM attachments |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.5-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.5-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Notes
-
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
-
The following tools are not in the OpenJ9 image (jboss-eap-7-eap72-openj9-11-openshift-rhel8) compared to the other EAP images delivered for other architectures: ["jcmd", "jinfo", "jstat", "jstatd"].