Red Hat Single Sign-On 7.5 Update 1 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.5. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.5 will continue until RH-SSO 7.6 is released, and at that time maintenance will be delivered on RH-SSO 7.6.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 1 and Update 2. See the JBoss Enterprise Application Platform 7.4 Update 1 Release Notes and JBoss Enterprise Application Platform 7.4 Update 2 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.5 Update 1
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-28170 | Server | jakarta.el: jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate |
| CVE-2021-20289 | Server | resteasy-jaxrs: resteasy: Error message exposes endpoint class information |
| CVE-2021-3827 | Core | keycloak-server-spi-private: ECP SAML binding bypasses authentication flows |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-19843 | Server - Storage | Inconsistent creation of default-roles- |
| This content is not included.KEYCLOAK-19746 | Container - Operator | RH-SSO Operator uses outdated permissions |
| This content is not included.KEYCLOAK-19710 | Distribution - Wildfly | Cannot override modules for Infinispan subsystem in distribution |
| This content is not included.KEYCLOAK-19692 | Container | RH-SSO container fails to start when using Templates using HTTPS and JGroups keystores and a truststore |
| This content is not included.KEYCLOAK-19607 | SAML | AttributeConsumingService Bug in SAML SP metadata |
| This content is not included.KEYCLOAK-19558 | Container | Deploy on dual-stack ocp4.8 fails |
| This content is not included.KEYCLOAK-19552 | Container | reflected XSS on clients-registrations endpoint |
| This content is not included.KEYCLOAK-19420 | Container | Simplify the RHSSO setup in an OpenShift Disconnected cluster |
| This content is not included.KEYCLOAK-19419 | OpenShift Integration | Support OpenShift login using kubeadmin user. |
| This content is not included.KEYCLOAK-19243 | SAML | Brokered SAML logins fail due to wrong InResponseTo |
| This content is not included.KEYCLOAK-19241 | OpenShift Integration | Keycloak cannot fetch group claims from openshift |
| This content is not included.KEYCLOAK-19169 | Server | Data migration broken for some MS SQL JDBC drivers |
| This content is not included.KEYCLOAK-19114 | Container - Operator | Default labels needed on realm CR |
| This content is not included.KEYCLOAK-18994 | Server - Storage | deleteExpiredClientSessions very slow on MariaDB |
| This content is not included.KEYCLOAK-15633 | Container, Container - Operator | ability to connect to a postgres db over SSL |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.5 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.