RHSA-2020:0951: Important: Red Hat Single Sign-On 7.3.7 security update

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.3.7 serves as a replacement for Red Hat Single Sign-On 7.3.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es): libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330) netty: HTTP request smuggling (CVE-2019-20444) netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.