Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1662 Red Hat Single Sign-On 7.3.8 security updates 13 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Single Sign-On 7.3.8 Publisher: Red Hat Operating System: Red Hat Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-7226 CVE-2020-6950 CVE-2020-1758 CVE-2020-1757 CVE-2020-1724 CVE-2020-1719 CVE-2020-1718 CVE-2020-1695 CVE-2019-17573 CVE-2019-14900 CVE-2019-10174 CVE-2019-10172 CVE-2018-14371 CVE-2016-3720 Reference: ASB-2020.0025 ESB-2020.1660 ESB-2020.1659 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2113 https://access.redhat.com/errata/RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2108 https://access.redhat.com/errata/RHSA-2020:2107 https://access.redhat.com/errata/RHSA-2020:2106 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.8 security update Advisory ID: RHSA-2020:2113-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2020:2113 Issue date: 2020-05-12 CVE Names: CVE-2018-14371 CVE-2019-10174 CVE-2020-6950 ===================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This asynchronous patch is a security update for the Undertow package in Red Hat Single Sign-On 7.3.8. Security Fix(es): * infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) * mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371) * Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 5. References: https://access.redhat.com/security/cve/CVE-2018-14371 https://access.redhat.com/security/cve/CVE-2019-10174 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrraT9zjgjWX9erEAQgaGQ//ZOD0WL47ABG9jIfNdIoMLPQ+s1wKFzEK W/0QER6bmuF6u/fd/uBXJVcK0KlOUHTYJQGUhFE1JYg63lF5MeS+AY2DGjGekCQV fB9YkNV7CSB1IbK09QCbsqgIVvyEw2Kgj1SnyZbJbNM7NJB1gnkN1CqaEXvxGp8O MTqjtrhwRT9m59ukHpvaAu+XLZ3u5Bx4XE/Q30/ZkNsg6wyHAwSg9cuJir0vUtvN n8qGWVkE2hHAUdcqEnZEeaNsTDmWr0G9F6WeREOlt9zOpQdBRxc+TfzHzCENNc4Q /tUAN5XjPwrOPzriNI1CRvcXe0cFgS/Q3bYsbvP1W1jnzBtV5aVrMewrLeHLieaT Nm/j4EZMIfA8GXgrdQ4wTJTToM3OVW/WkZupO+qF52nNVpGpHoPj0wGNclAYk2NJ NbRj+10YX0UDOGmUKAbDV+hs+VRE0ZyJ8Ie2yKbQ9SjfJJeNtTGthz2PYgurSzNE 7In8IDNftqLpAWL/cyTrgMvNIGW6yvjK+aCCsqp3Uhv7incBb6ITVpVbjCLsXYUH I+J/Eqfk7KENGQCEUKoD1KUFxQLEBMA+Z/2G6w8IA5lSdWrmmjoNJ/0GqdODxlFX sQhtW2UExNb5OMOoSjcfVYwx8r0aE5Y0LPj2kmWH6jgUthV+FlBK1jfa9g3HzSo+ 2sC3EmunJo8==w9MO - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.8 security update Advisory ID: RHSA-2020:2112-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2020:2112 Issue date: 2020-05-12 CVE Names: CVE-2019-10172 CVE-2019-14900 CVE-2019-17573 CVE-2020-1695 CVE-2020-1718 CVE-2020-1719 CVE-2020-1724 CVE-2020-1757 CVE-2020-1758 CVE-2020-7226 ===================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.8 serves as a replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: security issue on reset credential flow (CVE-2020-1718) * undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) * hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) * cxf: reflected XSS in the services listing page (CVE-2019-17573) * resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) * Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) * keycloak: improper verification of certificate with host mismatch could result in information disclosure (CVE-2020-1758) * cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226) * keycloak: problem with privacy after user logout (CVE-2020-1724) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation 1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure 5. References: https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-1758 https://access.redhat.com/security/cve/CVE-2020-7226 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrraStzjgjWX9erEAQjGGA/9H+0mP7aNzf3QiX+wiwuKCODpzIctTO18 UvyIux7XIxiatyb65qegnQi307KWyb0hYxNdocnI1m08tz8Lp+qebtkJmJSy3Ngt OgnQXQmFUqw/jjoK00sbYeOOUC+NxPE85yh+ooIsyuvS8WBYuFHBlXlxa029SVc9 igTxQ7GXB1+/Ku8vXBkIsc+YC4t3lGHtUnMZS48fDmyMM0NcDEX+b5kwJXiKrIGm 80j25g1P72Y84DRF2/7c64J/xwwwQrotZ30px1ZmjlclrpPT7XQ2TuFQVxilZh9X F8e/0Gih1rDsRy7Xza5X+bmnT5Cq16nBVR7wnKvFlDk0ITd2OcbqUxCYUrbsfHU4 91oettbysDViIWsPbM91V1NGTHMC070mQsJ/lmwAy9XOHQFalgAWrVIhkvMOH8O9 a/0A0+KsjSOlBYk6f+YzSzzgfRG9oQ4Bc2NADj56B0BSWX/FLajA4JNuijOJNmUd P54fBKKJRQ0w1Td0oQs/DrIwkdMpsz3kRP/c8k+aJNpZ7IDILIPopdpsaCOUGgGn 9UTzdqVAKFPtI4l5iLEI3jB9SvFfSXwDjHDCpw6RlcEYxiKL4TBWW9VCUocAAOz0 2UWHRKVztrtRznKVq9EZ8jkGwK8ybgZpfV1DrcaGCtzzEKoVRd3XTs9ljfrrfnnj ViMG5m2vpXo==aH/+ - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.8 security update on RHEL 8 Advisory ID: RHSA-2020:2108-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2020:2108 Issue date: 2020-05-12 CVE Names: CVE-2020-1718 CVE-2020-1724 CVE-2020-1758 ===================================================================== 1. Summary: New Red Hat Single Sign-On 7.3.8 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.3 for RHEL 8 - noarch 3. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.8 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: improper verification of certificate with host mismatch could result in information disclosure (CVE-2020-1758) * keycloak: problem with privacy after user logout (CVE-2020-1724) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure 6. JIRA issues fixed (https://issues.jboss.org/): KEYCLOAK-13799 - Create RPMs for the RH-SSO 7.3.8 release for RHEL8 7. Package List: Red Hat Single Sign-On 7.3 for RHEL 8: Source: rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el8sso.src.rpm noarch: rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el8sso.noarch.rpm rh-sso7-keycloak-server-4.8.20-1.Final_redhat_00001.1.el8sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1758 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrrRo9zjgjWX9erEAQi+xg//YmyjtTUAB0O3o0E7jUA08dPR7oCmhP5i B6pi2tEwGVFSulV00I9T71QAdhmBtR7WjDlyyqj3KX/wLqXGntQBsYfB6Wi+6DGN jr3XgLgUa3DpTD/rnPHOZ+T0RkeiLK+T3iksBdn6vJhUjH+ati3Tc2v1a6VOmbDA 1SoHj4+3iQydphtkK9J6T76mWNGVlWBvlvFGwkamY0yE+xJX3+AdLrEm4L+5x/px xWhT5HZVkZCA++y2pBlE6ANG9Y4tRHVtDMaXmHBSBJGiTcyFkyoU0r4R/JqeMYSQ BE+thU5wqbfVtDtrTYhMpYOnn/K1wBafTy91RBmk/t309cTGDw/oEiFJ6e/aiDtP 1f2rhAkHUcS1mUhXMyadWZP/Szvfxmh+XCqSP+YB4rdOqOkm55ZMFWjp29lqZsab 8Mjxuai79om2FsCT2Me5o6VkA0/ACyDosn6hChoq2+wd5cThTqwR78vYdt/gj6Hc VfmAtORnAZrfwgqpaKGzmF4fe/8uQIHZthhc8lqY3BkWDERienTB8nk2VlhVborV 2gfMFxxRZaNIAhOZVI6Tnmk1hm0Lg1waj+ATMdTp8Y5P+OT7DFX4E1tpfE9hjk6X KoWRjH0HU6YwVOBfPBIcztNa1aPWuVtE2EIa7RA4G1bpN7FLMH+OttyCH+mDLiEA Z3d0bsyOrQI==O8ah - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.8 security update on RHEL 7 Advisory ID: RHSA-2020:2107-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2020:2107 Issue date: 2020-05-12 CVE Names: CVE-2020-1718 CVE-2020-1724 CVE-2020-1758 ===================================================================== 1. Summary: New Red Hat Single Sign-On 7.3.8 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.3 for RHEL 7 Server - noarch 3. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.8 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: improper verification of certificate with host mismatch could result in information disclosure (CVE-2020-1758) * keycloak: problem with privacy after user logout (CVE-2020-1724) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure 6. JIRA issues fixed (https://issues.jboss.org/): KEYCLOAK-13798 - Create RPMs for the RH-SSO 7.3.8 release for RHEL7 7. Package List: Red Hat Single Sign-On 7.3 for RHEL 7 Server: Source: rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el7sso.src.rpm noarch: rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el7sso.noarch.rpm rh-sso7-keycloak-server-4.8.20-1.Final_redhat_00001.1.el7sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1758 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrrRYtzjgjWX9erEAQiirQ/9GFUny3eLV+Yi1D9VIc7qHuXT0gnF377Y n6zEyAwFEdla3xuabaTzWnhZsuSZiyMk4gyX2JFDZ9Ta0yCCERh4hk/RMuPqyasL zChISSBacpSOTq4kn7o1HxfeMv8KaUvBboB2+PZE3yjtIAkYt5dySoSyxfrQ3epr oLmTZ0pAI777/qEAfr0iFrAP2dCcudGKpb8wz67HqI4s2vxUy9Vdrmyr/ThSrcP7 KAz/WO6PElyp94oc14eKrrPO1YyUnY05FHTQzuii1f4TnuUpF2E/w7XmrXR4YBUy 2be5oQlFAjjPmEfKMofl85Xrz2nvTOgEitfgX+YVZcV8kYcBJdX/sTYPFFP3D5eX 3JcT7mzFIjI8F0vBgPKjsrVHJYcgAVsfTWetNbvYe/zE5oJc1qh1va0xoibYvON+ 3XtmaYn/R2XC9PXRTKwHTBxDfRbVsPaBDiBUnsvKL47sMUkkoSB0LfSMHtwCrkWJ 48yzU2Np/S6ka/Xo8r/V+JRrSJLhQJoOySMutsGI9y+nv6+wBu/6Jdryade2sX+Z BkBad3qtUIdyC8l9JxmIT0R5BJmF4+7zm60ctxsfgUldPoREP+wN4GH4EiKrA4Kn msUA649dPkaEs3T7ejgP8ahp8USUS3rZGUZpiQZZESqbNhCX9p2jV1jNVFsdECWG zOlhRFuo2V0==NGWE - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.8 security update on RHEL 6 Advisory ID: RHSA-2020:2106-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2020:2106 Issue date: 2020-05-12 CVE Names: CVE-2020-1718 CVE-2020-1724 CVE-2020-1758 ===================================================================== 1. Summary: New Red Hat Single Sign-On 7.3.8 packages are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.3 for RHEL 6 Server - noarch 3. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.8 on RHEL 6 serves as a replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: improper verification of certificate with host mismatch could result in information disclosure (CVE-2020-1758) * keycloak: problem with privacy after user logout (CVE-2020-1724) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure 6. JIRA issues fixed (https://issues.jboss.org/): KEYCLOAK-13797 - Create RPMs for the RH-SSO 7.3.8 release for RHEL6 7. Package List: Red Hat Single Sign-On 7.3 for RHEL 6 Server: Source: rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el6sso.src.rpm noarch: rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el6sso.noarch.rpm rh-sso7-keycloak-server-4.8.20-1.Final_redhat_00001.1.el6sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1758 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXrrRntzjgjWX9erEAQgBWRAAnqSzYpDyJMCXsKin1SxPhnRXtDf0Fvw9 b6u32OoXwmbVx/ejhlrAuZt5ykM1kYUkMBaMe3dmNIRlcTe7NFxRJtjw/UURO/Bj 3GLjUX6wgnZKjd13mHmkbnm48A/6lhpuDo2+NdM8aeuWc/USyj2VSbmWp79JqmuV vvNiFXhIFO2IvVfmJJ2BqVfrc53nk61ZUhyXXEW+UspwIQsKHLb7vLxHyz6lGpZO chf3O4zVUKky5dWZuT2w2pDV2I1ROOdVwSntTLmML9Q6IzgGdrWzoQlxMBk4Z+oA Ww8XLGwHJ4E6e0/0SLVb26nwBupRk8CtDaf41rNGIlMysDLcbHMrHkgNUsUKeAzl NlyvzJFxn7mV3NTsfaM8adOu4S6+9J1oWmgNeO54d5i01nJjCTIkLryrjjqzU/v1 xwPIiMMoGaJweKd2tok0NafdXi4gzPvNRmG8IyBpb+FV6H3CHci0WD5vUNwD3qZD 0/S3oCFe87Mcef3fffoKb5cjtZQ4JDWeKBo0znUtbBUwWL7RqpTc9k4b1xgSu2nc IGrWboUtoKO99Fyz7v0jWHD4MSx8in+Jk9zXRZtB/4waAJhRPKkC+Wt5+t80ue+T obRp/nLwopi+yw6y4TbIm1qmshwjhbnK6noewSzcRRmxkR1ngrnWFZrJNnJb9fDF xA5Pov0IYws==Arda - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrs3cGaOgq3Tt24GAQjOUhAApD5YHl8ij8SEsxMffrE4QGaMhiK5QBVd 3S5mefbV+l+hynTdy1PFIHQqeEEIniwxdgshyTGI0wDvSK+ROXAOP9nSo9PLR+tr b3VENqMDeZAizr0YQEMzh8yRHJ0MBzclysetnr7ngouXJscivojFp9oF+rF+VkfB Ymob/2EyEU/ZOZiAV+vbkIxKNWmdZDWcI7dAWajWtJE7P0746upLs1Ztk3wkmOq1 KRvum2QmAT6Mw8DkMU7GhZkp9rDUT7TVY9jB+6YNmUBz+VR3gJ5+y9RFrex0BoG6 ltasihxq4LIiAXfcnk5AfVSJFol7NmRRWyTsrkhWm01dhIgtck8b57IKuMlXRJfg 2ebHfyihGwLrV0LfR/rwknppfGyXZmLiqE8LR1RZ2MNt2ezhG7MQfpsOGbAnvD7S NQ2DEm5reZvcPh6unCZVNrFgs/Rl9RTcTYA/dc6chBE4KOf6+etP6rNC01/Sl+Jj uDzg05X4ZrmM2ejb9nDdo/Qfix9y0N6XQe9pvjmzR9K8V84Scvu4zgR3STU66WS/ B1Rfctikm1vc7EPrgvY4mb48pnKHVCM87PM9MT3oyMFiE7WDeueayZCwpu8P52Z2 eF1jBqxhAPcSuRjUKN75q6Bu8aZoNvOekqYdsN330Yb/saFpqW3eQyIEVnRp8jQl dnSkGKsKVI8= =Jlk6 -----END PGP SIGNATURE-----