Red Hat Single Sign-On 7.6 Update 5 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.5. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.5 will continue until RH-SSO 7.6 is released, and at that time maintenance will be delivered on RH-SSO 7.6.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 12. See the JBoss Enterprise Application Platform 7.4 Update 12 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 5
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-46877 | Server | jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode |
| CVE-2023-3223 | Server | undertow: OutOfMemoryError due to @MultipartConfig handling |
| CVE-2023-1436 | Server | jettison: Uncontrolled Recursion in JSONArray |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2310 | Protocol - OIDC | The redirect URI cannot be verified during logout in the case when client was removed |
| This content is not included.RHSSO-2364 | Distribution | After the RH SSO Operator upgrade to 7.6.2 ('rhsso-operator.7.6.2-opr-001'), the Liveness and Readiness Probes are failing in FIPS (disabled) environments |
| This content is not included.RHSSO-2440 | Server | Getting expired refresh token when using different client session expiry |
| This content is not included.RHSSO-2462 | Server | Regression related to redirect url with port 80 |
| This content is not included.RHSSO-2546 | Integration - SSSD | SSSD users with capitals in the email cannot login to RH-SSO |
| This content is not included.RHSSO-2524 | Server | OTP base32 decode improvements |
| This content is not included.RHSSO-2655 | Server | rhhso pod is unable to start when using ocp4.x template |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.