Skip to content

Commit 7439312

Browse files
Merge pull request #4991 from OpenLiberty/26.0.0.7-post
Update 26.0.0.7-post into draft
2 parents 18eae09 + 752d09e commit 7439312

1 file changed

Lines changed: 298 additions & 0 deletions

File tree

posts/2026-07-14-26.0.0.7.adoc

Lines changed: 298 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,298 @@
1+
---
2+
layout: post
3+
title: "Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7"
4+
# Do NOT change the categories section
5+
categories: blog
6+
author_picture: https://avatars3.githubusercontent.com/navaneethsnair1
7+
author_github: https://github.com/navaneethsnair1
8+
seo-title: Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7 - OpenLiberty.io
9+
seo-description: This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled.
10+
blog_description: This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled.
11+
open-graph-image: https://openliberty.io/img/twitter_card.jpg
12+
open-graph-image-alt: Open Liberty Logo
13+
---
14+
= Logged-Out SSO Cookie Tracking, mpHealth REST Endpoint Controls, and more in 26.0.0.7
15+
Navaneeth S Nair <https://github.com/navaneethsnair1>
16+
:imagesdir: /
17+
:url-prefix:
18+
:url-about: /
19+
//Blank line here is necessary before starting the body of the post.
20+
21+
This release enables logged-out SSO cookie tracking by default to prevent cookie replay after logout and adds an option to disable mpHealth REST endpoints when file-based health checks are enabled.
22+
23+
// // // // // // // //
24+
// In the preceding section:
25+
// Do not insert any blank lines between any of the lines.
26+
// Do not remove or edit the variables on the lines beneath the author name.
27+
//
28+
// "open-graph-image" is set to OL logo. Whenever possible update this to a more appropriate/specific image (For example if present a image that is being used in the post). However, it
29+
// can be left empty which will set it to the default
30+
//
31+
// "open-graph-image-alt" is a description of what is in the image (not a caption). When changing "open-graph-image" to
32+
// a custom picture, you must provide a custom string for "open-graph-image-alt".
33+
//
34+
// Replace TITLE with the blog post title eg: MicroProfile 3.3 is now available on Open Liberty 20.0.0.4
35+
// Replace GITHUB_USERNAME with your GitHub username eg: lauracowen
36+
// Replace DESCRIPTION with a short summary (~60 words) of the release (a more succinct version of the first paragraph of the post).
37+
// Replace AUTHOR_NAME with your name as you'd like it to be displayed, eg: Laura Cowen
38+
//
39+
// Example post: 2020-04-09-microprofile-3-3-open-liberty-20004.adoc
40+
//
41+
// If adding image into the post add :
42+
// -------------------------
43+
// [.img_border_light]
44+
// image::img/blog/FILE_NAME[IMAGE CAPTION ,width=70%,align="center"]
45+
// -------------------------
46+
// "[.img_border_light]" = This adds a faint grey border around the image to make its edges sharper. Use it around screenshots but not
47+
// around diagrams. Then double check how it looks.
48+
// There is also a "[.img_border_dark]" class which tends to work best with screenshots that are taken on dark
49+
// backgrounds.
50+
// Change "FILE_NAME" to the name of the image file. Also make sure to put the image into the right folder which is: img/blog
51+
// change the "IMAGE CAPTION" to a couple words of what the image is
52+
// // // // // // // //
53+
54+
In link:{url-about}[Open Liberty] 26.0.0.7:
55+
56+
* <<cookie_cache, Tracking Logged-Out SSO Cookies Enabled by Default>>
57+
* <<mpHealth_4_0, Disabling mpHealth-4.0 REST endpoints when file-based health checks are enabled>>
58+
* <<CVEs, Security Vulnerability (CVE) Fixes>>
59+
* <<bugs, Notable bug fixes>>
60+
61+
62+
// // // // // // // //
63+
// If there were updates to guides since last release, keep the following, otherwise remove section.
64+
// // // // // // // //
65+
Along with the new features and functions added to the runtime, we’ve also made <<guides, updates to our guides>>.
66+
67+
// // // // // // // //
68+
// In the preceding section:
69+
// Replace the TAG_X with a short label for the feature in lower-case, eg: mp3
70+
// Replace the FEATURE_1_HEADING with heading the feature section, eg: MicroProfile 3.3
71+
// Where the updates are grouped as sub-headings under a single heading
72+
// (eg all the features in a MicroProfile release), provide sub-entries in the list;
73+
// eg replace SUB_TAG_1 with mpr, and SUB_FEATURE_1_HEADING with
74+
// Easily determine HTTP headers on outgoing requests (MicroProfile Rest Client 1.4)
75+
// // // // // // // //
76+
77+
View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26007+label%3A%22release+bug%22[26.0.0.7].
78+
79+
Check out link:{url-prefix}/blog/?search=release&search!=beta[previous Open Liberty GA release blog posts].
80+
81+
82+
[#run]
83+
84+
// // // // // // // //
85+
// LINKS
86+
//
87+
// OpenLiberty.io site links:
88+
// link:{url-prefix}/guides/maven-intro.html[Maven]
89+
//
90+
// Off-site links:
91+
//link:https://openapi-generator.tech/docs/installation#jar[Download Instructions]
92+
//
93+
// IMAGES
94+
//
95+
// Place images in ./img/blog/
96+
// Use the syntax:
97+
// image::/img/blog/log4j-rhocp-diagrams/current-problem.png[Logging problem diagram,width=70%,align="center"]
98+
// // // // // // // //
99+
100+
== Develop and run your apps using 26.0.0.7
101+
102+
If you're using link:{url-prefix}/guides/maven-intro.html[Maven], include the following in your `pom.xml` file:
103+
104+
[source,xml]
105+
----
106+
<plugin>
107+
<groupId>io.openliberty.tools</groupId>
108+
<artifactId>liberty-maven-plugin</artifactId>
109+
<version>3.12.0</version>
110+
</plugin>
111+
----
112+
113+
Or for link:{url-prefix}/guides/gradle-intro.html[Gradle], include the following in your `build.gradle` file:
114+
115+
[source,gradle]
116+
----
117+
buildscript {
118+
repositories {
119+
mavenCentral()
120+
}
121+
dependencies {
122+
classpath 'io.openliberty.tools:liberty-gradle-plugin:4.0.0'
123+
}
124+
}
125+
apply plugin: 'liberty'
126+
----
127+
// // // // // // // //
128+
// In the preceding section:
129+
// Replace the Maven `3.11.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-maven-plugin
130+
// Replace the Gradle `3.9.5` with the latest version of the plugin: https://search.maven.org/artifact/io.openliberty.tools/liberty-gradle-plugin
131+
// TODO: Update GHA to automatically do the above. If the maven.org is problematic, then could fallback to using the GH Releases for the plugins
132+
// // // // // // // //
133+
134+
Or if you're using link:{url-prefix}/docs/latest/container-images.html[container images]:
135+
136+
[source]
137+
----
138+
FROM icr.io/appcafe/open-liberty
139+
----
140+
141+
Or take a look at our link:{url-prefix}/start/[Downloads page].
142+
143+
If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE.
144+
145+
[link=https://stackoverflow.com/tags/open-liberty]
146+
image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
147+
148+
[#cookie_cache]
149+
== Tracking Logged-Out SSO Cookies Enabled by Default
150+
To continuously improve built-in security for applications, Open Liberty 26.0.0.7 now enables the tracking of logged-out Single Sign-On (SSO) cookies by default. With this feature, logged-out SSO cookies can no longer be replayed after logout.
151+
152+
=== What is the potential impact?
153+
When a logged-out SSO cookie is replayed, the user is now explicitly prompted to reauthenticate. This helps harden security.
154+
155+
Tracking logged-out SSO Cookies can still be disabled with the following server configuration:
156+
157+
[source,xml]
158+
----
159+
<webAppSecurity trackLoggedOutSSOCookies="false"/>
160+
----
161+
162+
For more information, check out the Tracking Logged-Out SSO Cookies link:https://openliberty.io/docs/latest/track-loggedout-sso.html[documentation].
163+
164+
165+
// // // // DO NOT MODIFY THIS COMMENT BLOCK <GHA-BLOG-TOPIC> // // // //
166+
// Blog issue: https://github.com/OpenLiberty/open-liberty/issues/34987
167+
// Contact/Reviewer: pgunapal
168+
// // // // // // // //
169+
[#mpHealth_4_0]
170+
== Disabling mpHealth-4.0 REST endpoints when file-based health checks are enabled
171+
172+
The mpHealth-4.0 feature enables support for MicroProfile Health 4.0 in Open Liberty. The feature also includes a file-based health check mechanism as an alternative to the `/health` REST endpoints. When the file-based health check mechanism is enabled, you can now disable the `/health/started`, `/health/live`, and `/health/ready` REST endpoints using server configuration attributes.
173+
174+
Previously, when file-based health checks were enabled, the REST-based MicroProfile Health endpoints were still registered and accessible. This behavior was often redundant for Kubernetes deployments that rely on file-based health checks, where users typically configure probes using the `exec` strategy rather than `httpGet` or `gRPC`. In these scenarios, the REST health endpoints are not used.
175+
176+
To address this redundancy, this release introduces a new optional `mpHealth` server configuration attribute that allows REST health endpoints to be disabled when file-based health checks are enabled.
177+
178+
The `mpHealth-4.0` feature adds a new optional `enableEndpoints="false"` attribute to the `mpHealth` server configuration element in `server.xml` file. An equivalent environment variable, `MP_HEALTH_ENABLE_ENDPOINTS=false`, is also supported.
179+
180+
When this option is set to `false` and file-based health checks are enabled, the server does not register or expose the MicroProfile Health REST endpoints (`/health, /health/live, /health/ready, /health/started`). Requests to these endpoints return '404 Not Found' response.
181+
182+
File-based health checks can be enabled with the `checkInterval` configuration attribute or the `MP_HEALTH_CHECK_INTERVAL` environment variable.
183+
184+
If both the environment variable and `server.xml` file configuration are specified, the `server.xml` setting takes precedence at runtime.
185+
186+
[source,xml]
187+
----
188+
<server>
189+
<featureManager>
190+
<feature>mpHealth-4.0</feature>
191+
</featureManager>
192+
193+
<!-- Enable file-based health checks but disable HTTP endpoints -->
194+
<mpHealth startupCheckInterval="1s" checkInterval="5s" enableEndpoints="false" />
195+
...
196+
</server>
197+
----
198+
199+
If either the `enableEndpoints` configuration attribute or the `MP_HEALTH_ENABLE_ENDPOINTS` environment variable is not set, the default value is `true`, and the health check REST endpoints are enabled and exposed.
200+
201+
*Note*: This capability is supported only when the file‑based health check mechanism is enabled. If file-based health checks are not enabled and the new `enableEndpoints` configuration attribute or environment variable is specified, a warning message is logged. The REST health endpoints remain enabled by default.
202+
203+
For more information, see the link:{url-prefix}/docs/latest/health-check-microservices.html[documentation].
204+
205+
// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>
206+
207+
[#CVEs]
208+
== Security vulnerability (CVE) fixes in this release
209+
[cols="5*"]
210+
|===
211+
|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
212+
213+
|link:https://www.cve.org/CVERecord?id=CVE-2026-8646[CVE-2026-8646]
214+
|8.1
215+
|HTTP request smuggling
216+
|17.0.0.3-26.0.0.6
217+
|Affects the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features
218+
219+
|link:https://www.cve.org/CVERecord?id=CVE-2026-9320[CVE-2026-9320]
220+
|5.9
221+
|Denial of service
222+
|17.0.0.3-26.0.0.6
223+
|Affects the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features
224+
225+
|link:https://www.cve.org/CVERecord?id=CVE-2026-9071[CVE-2026-9071]
226+
|7.1
227+
|Denial of service
228+
|17.0.0.3-26.0.0.6
229+
|Affects servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0, servlet-6.0, servlet-6.1, websocket-1.0, websocket-1.1, websocket-2.0, websocket-2.1, and websocket-2.2 features
230+
231+
|link:https://www.cve.org/CVERecord?id=CVE-2026-42402[CVE-2026-42402]
232+
|7.5
233+
|Denial of service
234+
|17.0.0.3-26.0.0.6
235+
|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features
236+
237+
|link:https://www.cve.org/CVERecord?id=CVE-2026-42403[CVE-2026-42403]
238+
|7.5
239+
|Denial of service
240+
|17.0.0.3-26.0.0.6
241+
|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features
242+
243+
|link:https://www.cve.org/CVERecord?id=CVE-2026-42404[CVE-2026-42404]
244+
|7.2
245+
|Server-Side Request Forgery
246+
|17.0.0.3-26.0.0.6
247+
|Affects jaxws-2.2, xmlWS-3.0, and xmlWS-4.0 features
248+
249+
|link:https://www.cve.org/CVERecord?id=CVE-2026-11806[CVE-2026-11806]
250+
|7.2
251+
|HTTP request smuggling
252+
|17.0.0.3-26.0.0.6
253+
|Affects restConnector-2.0 feature
254+
255+
|link:https://www.cve.org/CVERecord?id=CVE-2026-11541[CVE-2026-11541]
256+
|7.4
257+
|HTTP request smuggling
258+
|17.0.0.3-26.0.0.6
259+
|
260+
261+
|===
262+
// // // // // // // //
263+
// In the preceding section:
264+
// If there were any CVEs addressed in this release, fill out the table. For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc. If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
265+
// Note: When linking to features, use the
266+
// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and
267+
// NOT what security-vulnerabilities.adoc does (someFeature-1.0)
268+
//
269+
// If there are no CVEs fixed in this release, replace the table with:
270+
// "There are no security vulnerability fixes in Open Liberty [26.0.0.7]."
271+
// // // // // // // //
272+
For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
273+
274+
275+
[#bugs]
276+
== Notable bugs fixed in this release
277+
278+
279+
We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26007+label%3A%22release+bug%22[full list of bugs fixed in 26.0.0.7].
280+
281+
* link:https://github.com/OpenLiberty/open-liberty/issues/35179[PathUtils.normalize() skips collapsing ".." after "${"-prefixed segment]
282+
* link:https://github.com/OpenLiberty/open-liberty/issues/35121[Create server: WARNING: A restricted method in java.lang.System has been called]
283+
* link:http://github.com/OpenLiberty/open-liberty/issues/35112["featureUtility installServerFeatures" stopped working on 26.0.0.6 when FEATURE_REPO_URL is specified]
284+
285+
// // // // // // // //
286+
// In the preceding section:
287+
// For this section ask either Michal Broz or Tom Evans or the #openliberty-release-blog channel for Notable bug fixes in this release.
288+
// Present them as a list in the order as provided, linking to the issue and providing a short description of the bug and the resolution.
289+
// If the issue on Github is missing any information, leave a comment in the issue along the lines of:
290+
// "@[issue_owner(s)] please update the description of this `release bug` using the [bug report template](https://github.com/OpenLiberty/open-liberty/issues/new?assignees=&labels=release+bug&template=bug_report.md&title=)"
291+
// Feel free to message the owner(s) directly as well, especially if no action has been taken by them.
292+
// For inspiration about how to write this section look at previous blogs e.g- 20.0.0.10 or 21.0.0.12 (https://openliberty.io/blog/2021/11/26/jakarta-ee-9.1.html#bugs)
293+
// // // // // // // //
294+
295+
296+
== Get Open Liberty 26.0.0.7 now
297+
298+
Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.

0 commit comments

Comments
 (0)