JBoss Enterprise Application Platform 7.2 Update 6 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
Note: JBoss EAP 7.2 CP6 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 05
Download This content is not included.JBoss Enterprise Application Platform 7.2 Update 6
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-14893 | REST | jackson-databind: Serialization gadgets in classes of the xalan package |
| CVE-2019-16335 | REST | jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource |
| CVE-2019-14540 | REST | jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig |
| CVE-2019-14892 | REST | jackson-databind: Serialization gadgets in classes of the commons-configuration package |
| CVE-2019-16942 | REST | jackson-databind: Serialization gadgets in classes of the commons-dbcp package |
| CVE-2019-16943 | REST | jackson-databind: Serialization gadgets in classes of the p6spy package |
| CVE-2019-17531 | REST | jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution |
| CVE-2019-14885 | Logging | jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command |
| CVE-2019-17267 | REST | jackson-databind: Serialization gadgets in classes of the ehcache package |
| CVE-2019-14888 | Web (Undertow) | undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS |
| CVE-2019-16869 | JMS | netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers |
| CVE-2019-10219 | Server | hibernate-validator: safeHTML validator allows XSS |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.JBEAP-17535 | HAL-1632 - RBAC: Deployment button not available for server group scoped role. [details] | |
| Content from issues.jboss.org is not included.JBEAP-17875 | UNDERTOW-1612 - Can't add more than one cookie with the same name and path but different domain | |
| Content from issues.jboss.org is not included.JBEAP-17387 | WFCORE-4603 - Replace Deployment --runtime-name option not working | |
| Content from issues.jboss.org is not included.JBEAP-17944 | Batch | undeploy and shutdown hang by JdbcRepository error |
| Content from issues.jboss.org is not included.JBEAP-16974 | CDI / Weld | WELD-2583 - Intercepted subclass should skip methods that have private/package private method params from different packages |
| Content from issues.jboss.org is not included.JBEAP-17802 | CDI / Weld | WELD-2600 - Property inside beans.xml is not parsed using spec-descriptor-property-replacement on JBoss |
| Content from issues.jboss.org is not included.JBEAP-17758 | Clustering | Session passivation event can deadlock if it attempts write operations on a session |
| Content from issues.jboss.org is not included.JBEAP-17933 | EJB | WFTC-78 - XA file registry does not delete records when prepare reports READ ONLY |
| Content from issues.jboss.org is not included.JBEAP-17344 | EJB | EJBCLIENT-343 - EJB invocation will not stay local if the application is deployed local and the Remote interface is used [details] |
| Content from issues.jboss.org is not included.JBEAP-17615 | EJB | EJBCLIENT-351 - XNIO-348 - Enhance XNIO error logging for RemoteEJBReceiver |
| Content from issues.jboss.org is not included.JBEAP-17612 | EJB | WEJBHTTP-29 - WildFlyClientInputStream hangs on close |
| Content from issues.jboss.org is not included.JBEAP-17896 | Hibernate | HHH-13698 Hibernate does not recognize MySQL 8 error code 3572 as PessimisticLockException |
| Content from issues.jboss.org is not included.JBEAP-17840 | Hibernate | HHH-13307 On release of batch it still contained JDBC statements using JTA |
| Content from issues.jboss.org is not included.JBEAP-17617 | Hibernate | HHH-13633 HHH-13634 HHH-13640 HHH-13653 Enhancement-as-proxy initialization bugs This content is not included.[details] |
| Content from issues.jboss.org is not included.JBEAP-17285 | JCA | org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer does not like a "*" leading property value |
| Content from issues.jboss.org is not included.JBEAP-15226 | JMS | XA recovery warnings when server reloaded |
| Content from issues.jboss.org is not included.JBEAP-17815 | JMX | WAR deployment fails due to NPE when both MBean and persistence-unit are packaged [details] |
| Content from issues.jboss.org is not included.JBEAP-17807 | JPA / Hibernate | WFLY-12596 Hibernate bytecode transformer needs to pass classloader into ASM ClassWriter for super classes that are in a different classloader |
| Content from issues.jboss.org is not included.JBEAP-17904 | JPA / Hibernate | WFLY-12699 add test that reproduces stack overflow and remove use of COMPUTE_FRAMES to avoid (ASM) recomputing stackmap frames |
| Content from issues.jboss.org is not included.JBEAP-17856 | JSF | Flash Scope is not cleared when JSF1095 is occurred |
| Content from issues.jboss.org is not included.JBEAP-17339 | JSF | Mojarra 4553 - Resoures#encodeAll doesn't work anymore since 2.3.x |
| Content from issues.jboss.org is not included.JBEAP-17681 | JSF | WFLY-12563 - org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL flag ignored when WARs are embedded in EAR |
| Content from issues.jboss.org is not included.JBEAP-17497 | OpenShift | [eap72-openjdk11-openshift-rhel8, eapcd-openshift-rhel8, eap73-openjdk11-openshift-rhel8] Change in behaviour of DEFAULT_JOB_REPOSITORY environment variable |
| Content from issues.jboss.org is not included.JBEAP-17301 | OpenShift | [eap72-openjdk11-openshift-rhel8, eapcd-openshift-rhel8, eap73-openjdk11-openshift-rhel8] Change in behaviour of TIMER_SERVICE_DATA_STORE environment variable |
| Content from issues.jboss.org is not included.JBEAP-18414 | RPM | RPM contains file which isn't at zip |
| Content from issues.jboss.org is not included.JBEAP-17754 | Security | ModuleClassLoaderLocator$CombinedClassLoader created for every request when using default module |
| Content from issues.jboss.org is not included.JBEAP-17829 | Security | WFLY-12705 - File upload fails with IllegalStateException when PicketLink SSO is enabled. [details] |
| Content from issues.jboss.org is not included.JBEAP-16712 | Server | WFCORE-4475 - jboss-deployment-structure.xml with fails to parse when annotations=true on a sub-deployment module |
| Content from issues.jboss.org is not included.JBEAP-6729 | Web (Undertow) | Cannot create two hosts with unspecified default web module in Undertow |
| Content from issues.jboss.org is not included.JBEAP-17682 | Web (Undertow) | Http requests failed with ISPN000299 after redirect and session invalidation |
| Content from issues.jboss.org is not included.JBEAP-17500 | Web (Undertow) | UNDERTOW-1589 - 500 response code still sent if large JSP include is nested within custom tag |
| Content from issues.jboss.org is not included.JBEAP-17601 | Web (Undertow) | UNDERTOW-1595 - NullPointerException can happen on a range request for a static content [details] |
| Content from issues.jboss.org is not included.JBEAP-17763 | Web (Undertow) | UNDERTOW-1598 - Bug in CachedResource range request handling |
| Content from issues.jboss.org is not included.JBEAP-17768 | Web (Undertow) | UNDERTOW-1599 - access-log does not output the original query string after the servlet request is forwarded with new query strings [details] |
| Content from issues.jboss.org is not included.JBEAP-17775 | Web (Undertow) | XNIO-353 - WARN message for rejected connections over Undertow max-connections limit |
| Content from issues.jboss.org is not included.JBEAP-17813 | Web Console | Error when maintaining Datasources & Drivers via Console [details] |
| Content from issues.jboss.org is not included.JBEAP-17576 | Web Console | Failed to read WS endpoint runtime data at Management Console |
| Content from issues.jboss.org is not included.JBEAP-17782 | Web Console | HAL-1639 - EAP 7.2 console does not display destination list, if the messaging server name is in caps |
| Content from issues.jboss.org is not included.JBEAP-17577 | Web Services | CXF-8105 - introduce a property for JMS transport client to decide reset JMS connection or not when client timeout |
| Content from issues.jboss.org is not included.JBEAP-17618 | Web Services | CXF-8118 - CXF LoggingInInterceptor, CachedWriter leaks |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.6-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.6-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Notes
-
JBoss EAP 7.2 CP6 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
-
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.