In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
Note: JBoss EAP 7.2 CP6 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 05
This update includes fixes for the following security related issues:
|CVE-2019-14893||REST||jackson-databind: Serialization gadgets in classes of the xalan package|
|CVE-2019-16335||REST||jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource|
|CVE-2019-14540||REST||jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig|
|CVE-2019-14892||REST||jackson-databind: Serialization gadgets in classes of the commons-configuration package|
|CVE-2019-16942||REST||jackson-databind: Serialization gadgets in classes of the commons-dbcp package|
|CVE-2019-16943||REST||jackson-databind: Serialization gadgets in classes of the p6spy package|
|CVE-2019-17531||REST||jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution|
|CVE-2019-14885||Logging||jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command|
|CVE-2019-17267||REST||jackson-databind: Serialization gadgets in classes of the ehcache package|
|CVE-2019-14888||Web (Undertow)||undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS|
|CVE-2019-16869||JMS||netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers|
|CVE-2019-10219||Server||hibernate-validator: safeHTML validator allows XSS|
This update includes the following bug fixes or changes:
|JBEAP-17535||HAL-1632 - RBAC: Deployment button not available for server group scoped role. [details]|
|JBEAP-17875||UNDERTOW-1612 - Can't add more than one cookie with the same name and path but different domain|
|JBEAP-17387||WFCORE-4603 - Replace Deployment --runtime-name option not working|
|JBEAP-17944||Batch||undeploy and shutdown hang by JdbcRepository error|
|JBEAP-16974||CDI / Weld||WELD-2583 - Intercepted subclass should skip methods that have private/package private method params from different packages|
|JBEAP-17802||CDI / Weld||WELD-2600 - Property inside beans.xml is not parsed using spec-descriptor-property-replacement on JBoss|
|JBEAP-17758||Clustering||Session passivation event can deadlock if it attempts write operations on a session|
|JBEAP-17933||EJB||WFTC-78 - XA file registry does not delete records when prepare reports READ ONLY|
|JBEAP-17344||EJB||EJBCLIENT-343 - EJB invocation will not stay local if the application is deployed local and the Remote interface is used [details]|
|JBEAP-17615||EJB||EJBCLIENT-351 - XNIO-348 - Enhance XNIO error logging for RemoteEJBReceiver|
|JBEAP-17612||EJB||WEJBHTTP-29 - WildFlyClientInputStream hangs on close|
|JBEAP-17896||Hibernate||HHH-13698 Hibernate does not recognize MySQL 8 error code 3572 as PessimisticLockException|
|JBEAP-17840||Hibernate||HHH-13307 On release of batch it still contained JDBC statements using JTA|
|JBEAP-17617||Hibernate||HHH-13633 HHH-13634 HHH-13640 HHH-13653 Enhancement-as-proxy initialization bugs [details]|
|JBEAP-17285||JCA||org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer does not like a "*" leading property value|
|JBEAP-15226||JMS||XA recovery warnings when server reloaded|
|JBEAP-17815||JMX||WAR deployment fails due to NPE when both MBean and persistence-unit are packaged [details]|
|JBEAP-17807||JPA / Hibernate||WFLY-12596 Hibernate bytecode transformer needs to pass classloader into ASM ClassWriter for super classes that are in a different classloader|
|JBEAP-17904||JPA / Hibernate||WFLY-12699 add test that reproduces stack overflow and remove use of COMPUTE_FRAMES to avoid (ASM) recomputing stackmap frames|
|JBEAP-17856||JSF||Flash Scope is not cleared when JSF1095 is occurred|
|JBEAP-17339||JSF||Mojarra 4553 - Resoures#encodeAll doesn't work anymore since 2.3.x|
|JBEAP-17681||JSF||WFLY-12563 - org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL flag ignored when WARs are embedded in EAR|
|JBEAP-17497||OpenShift||[eap72-openjdk11-openshift-rhel8, eapcd-openshift-rhel8, eap73-openjdk11-openshift-rhel8] Change in behaviour of DEFAULT_JOB_REPOSITORY environment variable|
|JBEAP-17301||OpenShift||[eap72-openjdk11-openshift-rhel8, eapcd-openshift-rhel8, eap73-openjdk11-openshift-rhel8] Change in behaviour of TIMER_SERVICE_DATA_STORE environment variable|
|JBEAP-18414||RPM||RPM contains file which isn't at zip|
|JBEAP-17754||Security||ModuleClassLoaderLocator$CombinedClassLoader created for every request when using default module|
|JBEAP-17829||Security||WFLY-12705 - File upload fails with IllegalStateException when PicketLink SSO is enabled. [details]|
|JBEAP-16712||Server||WFCORE-4475 - jboss-deployment-structure.xml with fails to parse when annotations=true on a sub-deployment module|
|JBEAP-6729||Web (Undertow)||Cannot create two hosts with unspecified default web module in Undertow|
|JBEAP-17682||Web (Undertow)||Http requests failed with ISPN000299 after redirect and session invalidation|
|JBEAP-17500||Web (Undertow)||UNDERTOW-1589 - 500 response code still sent if large JSP include is nested within custom tag|
|JBEAP-17601||Web (Undertow)||UNDERTOW-1595 - NullPointerException can happen on a range request for a static content [details]|
|JBEAP-17763||Web (Undertow)||UNDERTOW-1598 - Bug in CachedResource range request handling|
|JBEAP-17768||Web (Undertow)||UNDERTOW-1599 - access-log does not output the original query string after the servlet request is forwarded with new query strings [details]|
|JBEAP-17775||Web (Undertow)||XNIO-353 - WARN message for rejected connections over Undertow max-connections limit|
|JBEAP-17813||Web Console||Error when maintaining Datasources & Drivers via Console [details]|
|JBEAP-17576||Web Console||Failed to read WS endpoint runtime data at Management Console|
|JBEAP-17782||Web Console||HAL-1639 - EAP 7.2 console does not display destination list, if the messaging server name is in caps|
|JBEAP-17577||Web Services||CXF-8105 - introduce a property for JMS transport client to decide reset JMS connection or not when client timeout|
|JBEAP-17618||Web Services||CXF-8118 - CXF LoggingInInterceptor, CachedWriter leaks|
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.6-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.6-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
JBoss EAP 7.2 CP6 contains some bug fixes that did not make it into EAP 7.3 GA, it is recommended you wait for EAP 7.3 CP1 before updating when it will be back in sync.
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.