JBoss Enterprise Application Platform 7.2 Update 5 Release Notes
In order to better meet customer expectations, micro releases for JBoss EAP 7 have been discontinued and replaced with updates delivered on a repeating schedule.
Each new update will contain a number of bug fixes for customer reported issues and potentially a number of security fixes. We expect that the updates will substantially reduce the number of individual patches that we produce and that customers must manage to keep their installations up to date.
For more information see the following Red Hat Knowledgebase articles: Maintenance Release Changes in EAP 6.2+ and Updated Patch Management with EAP 6.2+
This update includes all fixes and changes from JBoss Enterprise Application Platform 7.2 Update 04
Download JBoss Enterprise Application Platform 7.2 Update 5
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-9515 | Management | HTTP/2: flood using SETTINGS frames results in unbounded memory growth |
| CVE-2019-14843 | Security Manager | wildfly-security-manager: security manager authorization bypass |
| CVE-2019-9512 | Management | HTTP/2: flood using PING frames results in unbounded memory growth |
| CVE-2019-14838 | Management | Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default |
| CVE-2019-9511 | Management | HTTP/2: large amount of data requests leads to denial of service |
| CVE-2019-9514 | Management | HTTP/2: flood using HEADERS frames results in unbounded memory growth:wq |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| JBEAP-17532 | HHH-13611 Restore EntityMetamodel constructor to take SessionFactoryImplementor argument instead of PersisterCreationContext. | |
| JBEAP-17372 | RESTEASY-2027 - PatchMethodFilter doesn't handle request of MediaType application/json-patch+json if MediaType have argument | |
| JBEAP-17125 | RESTEASY-2281 - PatchMethodFilter not using provided ObjectMapper | |
| JBEAP-17222 | resteasy-jaxrs is missing dependency to microprofile-config-api | |
| JBEAP-17152 | CLI | jboss-cli.sh does not error on invalid options such as --controler |
| JBEAP-15985 | Clustering | NullPointerException in processing EJB request at shutdown |
| JBEAP-17412 | Concurrency Utilities | ManagedExecutorService keeping references on undeploy/deploy |
| JBEAP-17458 | EJB | Timely topology changes can defer expiration of distributed SFSB |
| JBEAP-17269 | EJB | WFLY-12321 - Use a single non-cancelling task per bean manager for tracking passivation expiration |
| JBEAP-17721 | EJB | EJB/JNDI over HTTP-Invoker Throws CommunicationException instead of AuthenticationException [details] |
| JBEAP-16940 | EJB | Out of specification: Singleton EJB is allowed to implement SessionBean interface. [details] |
| JBEAP-17376 | EJB | Single action timer is not triggered automatically after a DB outage, requires server restart |
| JBEAP-17086 | EJB | UNDERTOW-1580 - Improve EJB over HTTPS logging |
| JBEAP-17270 | EJB | WFLY-12322 - Avoid redispatching to a worker the ejb call if it is async (at AssociationImpl) |
| JBEAP-17164 | Generic JMS RA | WFLY-12415 - Complete message object visible in ERROR at org.jboss.resource.adapter.jms.inflow.JmsServerSession |
| JBEAP-17471 | Hibernate | HHH-13592 AutoFlushEvent#isFlushRequired is always false |
| JBEAP-17525 | Hibernate | HHH-13607 Exception thrown while flushing uninitialized enhanced proxy with immutable natural ID |
| JBEAP-17485 | Hibernate | HHH-12968 Persist fails when using JOINED Inheritance with batch_size > 1 and legacy ID generation [details] |
| JBEAP-17418 | Hibernate | HHH-13586: ClassCastException when using a single region name for both entity and query results [details] |
| JBEAP-16800 | JCA | TCCL is not set to datasource module in datasource constructor |
| JBEAP-16507 | JCA | JBJCA-1392 - Need to add checkTransaction handling for unwrap connection |
| JBEAP-17549 | JSF | Memory leak in FlashScope - expired elements are not cleared |
| JBEAP-17883 | Logging | Ensure the log manager is set for tests for Eclipse OpenJ9 |
| JBEAP-17607 | MSC | Additional fixes for MSC-245 - ServiceContainerImpl.registry is leaking memory resources |
| JBEAP-17511 | Management | JGroups get modified in a wrong way after cli command |
| JBEAP-16505 | Management | Need to disable console error page by console-enabled |
| JBEAP-16475 | REST | Rest Client fails to convert a single boolean value |
| JBEAP-17580 | REST | RESTEASY-2249 @PostConstruct on @ApplicationScoped bean called too late in case a non public @PostConstruct method is present |
| JBEAP-17711 | Remoting | Introduce alternative queued acceptor to fix XNIO-258 XNIO-286 XNIO-335 XNIO-265 [details] |
| JBEAP-17879 | Scripts | '-Xlog:gc' option is not supported on OpenJDK11 + OpenJ9 |
| JBEAP-17522 | Security | WFLY-12572 / SECURITY-1005 - Improve credential and role group |
| JBEAP-17468 | Security | ELY-1872 - elytron-tool.sh usage with symbolic links |
| JBEAP-17467 | Security | WFLY-12569 - File UploadMultipart does not work when PicketLink SSO is enabled |
| JBEAP-17662 | Web (Undertow) | WFCORE-4699 - preferIPv6Addresses and preferIPv4Stack System Properties are Mishandled in the Config [details] |
| JBEAP-17009 | Web (Undertow) | UNDERTOW-1554 - Improve handling and leniency of bad POST parameters |
| JBEAP-17818 | Web (Undertow) | Undertow http-listener max-connections attribute no longer causes additional connections to be rejected |
| JBEAP-17469 | Web Console | Not able to view log files in admin console if its created via logging-profile |
| JBEAP-17375 | Web Services | WS-Security in combination with MTOM attachments |
Installation
Note: This update should only be applied to installer or zip-based installations.
To apply this update using the CLI on Unix-based systems, run the following command from JBOSS_HOME:
bin/jboss-cli.sh "patch apply path/to/jboss-eap-7.2.5-patch.zip"
To apply this update using the CLI on Windows-based systems, run the following command from JBOSS_HOME:
bin\jboss-cli.bat "patch apply path\to\jboss-eap-7.2.5-patch.zip"
These commands will apply the update to the installation that contains the CLI script. Other scenarios and use of the management console are covered in the JBoss EAP 7.2 Patching And Upgrading Guide
Notes
-
SAAJ 1.3 is deprecated in JBoss EAP 7.2. SAAJ 1.4 will be the default in JBoss EAP 7.3 and may cause issues in user defined SOAP Handlers, if this happens the SOAP Handler should be updated to work with SAAJ 1.4 and the system property -Djboss.saaj.api.version=1.3 can be set to restore the SAAJ 1.3 behavior while the SOAP Handler is being updated, see more details.
-
The EAP natives for s390x platform (IBM zSeries) are only supported in the OpenShift environment on IBM zSeries, i.e bare metal installations on IBM zSeries are not supported.
- The following tools are not in the OpenJ9 image (jboss-eap-7-eap72-openj9-11-openshift-rhel8) compared to the other EAP images delivered for other architectures: ["jcmd", "jinfo", "jstat", "jstatd"].
Comments