JBoss Enterprise Application Platform 8.1 Update 6.1 Release Notes

Updated

In order to better meet customer expectations, micro releases for JBoss EAP 8 have been discontinued and replaced with updates delivered on a repeating schedule.

Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.

This update includes all fixes and changes from JBoss Enterprise Application Platform 8.1 Update 6

Download This content is not included.JBoss Enterprise Application Platform 8.1 Update 6.1

This update includes fixes for the following security related issues:

IDComponentImpactSummary
CVE-2026-28369ServerImportantundertow-core: Undertow: Request Smuggling via Malformed HTTP Request Headers [eap-8.1.z]
CVE-2026-1605ServerImportantjetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests [eap-8.1.z]
CVE-2026-28367ServerImportantundertow-core: Undertow: Request smuggling via \r\r\r as a header block terminator [eap-8.1.z]
CVE-2026-28368ServerImportantundertow-core: Undertow: Request smuggling via inconsistent header parsing [eap-8.1.z]

This update includes the following bug fixes or changes:

IDComponentSummary
This content is not included.JBEAP-32599ClusteringDATAGRID 8.6.0: ISPN000374: No such template 'org.infinispan.DIST_SYNC'
This content is not included.JBEAP-32341ClusteringNode.getSocketAddress() always returns null
This content is not included.JBEAP-32308JDRjdr.sh fails to start embedded server when Elytron encrypted expressions is used in system-properties [details]
This content is not included.JBEAP-33277UndertowNoSuchMethodError: io/undertow/servlet/api/ServletSessionConfig.setSecure
This content is not included.JBEAP-33177UndertowThis content is not included.UNDERTOW-2763 - As per RFC9112 reason-phrase is optional in HTTP 1.1 responses
This content is not included.JBEAP-30645UndertowThis content is not included.UNDERTOW-2545 - AJP write-timeout can be calculated incorrectly, leading to erroneous write-timeout
This content is not included.JBEAP-30995UndertowThis content is not included.UNDERTOW-2611 - Ensure max-request-size of a Multipart servlet can override a listener max-post-size
This content is not included.JBEAP-31419UndertowThis content is not included.UNDERTOW-2616 - request.getParts should throw unwrapped IOException
This content is not included.JBEAP-32265UndertowThis content is not included.UNDERTOW-2659 - remove unnecessary exception wrapping in MultiPart

Installation

Archive / zip / installer based installations

Note: This update zip should only be applied to installer or zip-based installations.

See the documentation: JBoss EAP 8.1 update methods

RPM installations

See the documentation: Updating an RPM installation

OpenShift Container installations

Update the containers to use the latest tag., to be current on OpenJDK and RHEL fixes.

Notes

Category
Components
Article Type