Red Hat Single Sign-On 7.4 Update 5 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 5. See the JBoss Enterprise Application Platform 7.3 Update 5 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 5
Important Notices
Red Hat Single Sign-On is deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next release.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-27782 | Server | undertow: special character in query results in server errors |
| CVE-2020-25689 | Server | wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller |
| CVE-2020-13956 | Server | httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs |
| CVE-2020-25640 | Server | wildfly: resource adapter logs plaintext JMS password at warning level on connection error |
| CVE-2020-10770 | Server, Client Adapter | keycloak: Default Client configuration is vulnerable to SSRF using "request_uri" parameter |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-16912 | Container - Operator | Not able to update RH-SSO operator running on OpenShift |
| This content is not included.KEYCLOAK-14310 | OIDC | SimpleHttp garbles multibyte chars |
| This content is not included.KEYCLOAK-16314 | Container - Operator | remove python packages uninstall code from init-container Dockerfile |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.