| MessageWay Web Client Maintenance ReleaseMaintenance Release    Name:     
  mwweb-6.0.0-mr04-linux
 Release   date:     March 24, 2020
 Prerequisite:     MessageWay 
6.1.0 mr03 or later Obsoletes   Maintenance Releases : mwweb-6.0.0-mr01-linux 
& mwweb-6.0.0-mr02-linux & mwweb-6.0.0-mr03-linux. Files: 
  This maintenance release contains the files listed below:    Files contained in this Maintenance Release package, 
  mwweb-6.0.0-mr04-linux-install.tgz: 
	
		| mwweb-6.0.0-mr04-linux-install.bin | Install program |  
		
		| MessageWay Web 
		Client Installation and Configuration.pdf | Web Client documentation |  
		| mwweb-6.0.0-mr04-linux_readme.html | This Readme file |    Files changed in previous Hotfixes and rolled into this 
  Maintenance Release:
 
	
		
		| mwweb-6.0.0.mr03-linux-install.bin | Install program |  
		| mwweb-6.0.0.mr02-linux-install.bin | Install program |  
		| mwweb-6.0.0-mr01-linux-install.bin | Install program |  Installing the MessageWay Web 
	Client Maintenance Release: 1) Download the 
		Maintenance Release install tar file
		(mwweb-6.0.0-mr04-linux-install.tgz).2) Untar the mwweb-6.0.0-mr04-linux-install.tgz file:
		tar -xzvf  mwweb-6.0.0-mr04-linux-install.tgz
 3) Step 
	2 will automatically create a new subdirectory named 
mwweb-6.0.0-mr04-linux-install.
 4) cd to the newly created mwweb-6.0.0-mr04-linux-install
 subdirectory.
 5) Review and perform the sections 'Pre-installation 
		Tasks', 'Uninstall the Web Client' and 'Install 
		the Web Client' in the MessageWay Web Client 
		Installation and Configuration.pdf included in this package to 
		manage the transition to this maintenance release.
 
 INSTALL NOTE: File stylesheet.css changed in MR03, and file httpd.conf changed 
	in both MR03 & MR04.  If you have made any changes to either of these 
	files, you will need to merge your backed up changes into the MR04 version 
	of these files (or vice versa).
 
 Regarding stylesheet.css, search for
	second_ex to see the new DIV that was added in MR03 to support 
	displaying of remaining Idle Timeout value.
 
 Regarding httpd.conf, 
	search for both MR03 & MR04 to see new 
	Apache security directives added in MR03 & MR04.
 ( March 24, 2020
) Issues closed in
mwweb-6.0.0-mr04-linux
  
   IMPORTANT NOTE about Operating System version support for this 
release:Web Client now supports Redhat Enterprise Linux Server 
Release 7.x and SUSE Linux Enterprise Server 12.
 IMPORTANT NOTE about Security Updates for this release:Web Client now includes the Apache HTTP Server 2.4.41 using OpenSSL 1.0.2s (LTS version) and FIPS 2.0.16 releases.
 
 They 
address many vulnerabilities that can be 
found in the release notes on the Openssl.org site.
 
 Specifically, see the 
following link for further details about this release of Apache HTTP Server:
 https://httpd.apache.org/security/vulnerabilities_24.html
 
 Specifically, see the 
following link for further details about this release of OpenSSL:
 https://www.openssl.org/news/openssl-1.0.2-notes.html
 
 Specifically, see the following link for further details about this release of 
FIPS:
 https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
 
MessageWay Web Client 
 Issue 4189: MWSIProxy stops 
uploading and/or downloading messages for no apparent reason.  Changes: 
This problem has been fixed.
 
 Issue 4442: A PCI security scan shows that 
Web Client is vulnerable to Cross-Site Request Forgery.  Changes: 
This problem has been fixed.
 
 Issue 4443:  A PCI security scan 
shows that Web Client is vulnerable to HTTP Reverse Proxy Detection 
and Apache Server ETag Header Information Disclosure.  Changes: 
The httpd.conf file has been updated to include multiple Apache directives that resolve these security vulnerabilities.
 
 Issue 4444: Update Web Client to 
latest version of Apache to resolve multiple CVE security issues.  Changes: 
Web Client is now using Apache HTTP Server 2.4.41 using OpenSSL 1.0.2s (LTS 
version) and FIPS 2.0.16 releases.
 
 Issue 4460: Certify that Web Client works with the Microsoft Edge 
browser.  Changes: Web Client has been QA tested to work with 
the Microsoft Edge browser.
 
MessageWay Web Client Documentation 
 Issue 4429: Documentation still shows 
examples of Perform Message Actions access right, which was 
deprecated in MessageWay 6.1 MR04.  Changes: 
This problem has been fixed.
 
 Issue 4430: Documentation does not 
properly explain that Web Client's Related Messages function 
does not work the same way as MessageWay Manager's Get Related Messages 
function.  Changes: 
This problem has been fixed.
 ( March 16, 2018
) Issues closed in
mwweb-6.0.0-mr03-linux
  
   IMPORTANT NOTE about JAVA versions supported for this release:Web Client no longer supports JAVA 1.7.  If your browser is using 
JAVA 1.7, it must be upgraded to use JAVA 1.8.
 IMPORTANT NOTE about Security Updates for this release:Web Client now includes the Apache HTTP Server 2.4.29 using OpenSSL 1.0.2n (LTS version) and FIPS 2.0.16 releases.
 
 They 
address many vulnerabilities that can be 
found in the release notes on the Openssl.org site.
 
 Specifically, see the 
following link for further details about this release of Apache HTTP Server:
 https://httpd.apache.org/security/vulnerabilities_24.html
 
 Specifically, see the 
following link for further details about this release of OpenSSL:
 https://www.openssl.org/news/openssl-1.0.2-notes.html
 
 Specifically, see the following link for further details about this release of 
FIPS:
 https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
 
MessageWay Web Client 
 Issue 4333: The Upload Message 
screen does not reset the Logon Idle timer value, and once Logon Idle timer 
value is exceeded, user is not returned back to Logon screen, but is left in an 
unresponsive state on the Upload Message screen.  Changes: 
This problem has been fixed.  NOTE: Web Client is now 
shipped with the remaining Logon Idle timer value displayed in the top left 
corner of most screens, which counts down to zero before returning you to the 
Logon screen.  If you do not want this value displayed, refer to section 
'Enabling or Disabling Remaining Logon Idle Timer Display' in MessageWay 
Web Client Installation and Configuration.pdf.
 
 Issue 4336: Web Client incorrectly allows a user 
to Cancel a message in a Completed state in the Uploaded tab (list of messages 
uploaded by this Web Client user).  Changes: 
This problem has been fixed.
 
 Issue 4337: Web Client incorrectly 
requires you to have Upload Rights on your Default Location in order to upload 
to other locations.  Changes: 
Web Client now follows best practice of requiring only download rights on 
Default Location and only upload rights on locations you want to upload to.
 
 Issue 4339: Web Client fails PCI scan 
for security vulnerabilities.  Changes: 
The httpd.conf file has been updated to include multiple Apache directives 
intended to resolve these security vulnerabilities.
 
 Issue 4344: Update Web Client to 
latest version of Apache to resolve multiple CVE security issues.  Changes: 
Web Client is now using Apache HTTP Server 2.4.29 using OpenSSL 1.0.2n (LTS 
version) and FIPS 2.0.16 releases.
 ( December 14, 2016
) Issues closed in
mwweb-6.0.0-mr02-linux
  
   IMPORTANT NOTE about Security Updates for this release:Web Client now includes the Apache HTTP Server 2.4.20 using OpenSSL 1.0.2j (LTS version) and FIPS 2.0.12 releases.
 
 They 
address many vulnerabilities that can be 
found in the release notes on the Openssl.org site.
 
 Specifically, see the 
following link for further details about this release of OpenSSL:
 https://www.openssl.org/news/openssl-1.0.2-notes.html
 
 Specifically, see the following link for further details about this release of 
FIPS:
 https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
 
MessageWay Web Client 
 Issue 3879: On the Upload Message 
screen, Recipient field is not automatically filled in.  Changes: 
The documentation has been updated to reflect that if you want the Recipient 
field to be automatically filled in, you need to specify a Default Recipient for 
the Web Client user in the MessageWay User Properties Locations tab using the 
Manager.
 
 Issue 3973: Unable to download a 
message in NON-JAVA mode using IE8 browser.  Changes: 
This problem has been fixed.
 
 Issue 3985: MWSIProxy stops working 
after multiple file downloads.  Changes: 
A memory initialization issue was found and fixed.
 
 Issue 4134: Web Client start up script 
incorrectly displays 'MessageWay Web Client Mongrel...Stopping'.  Changes: 
This problem has been fixed.
 
 Issue 4137: Web Client 
sessions that run over slow networks and/or with browsers that run on older 
systems encounter inconsistent results and loss of connection.  Changes: 
The  default timeouts configured in the Web Client have been increased to 5 
minutes.  This allows connections to older systems or over slow networks to 
be more resilient.
 
 Issue 4138: The following warning is 
written to the Apache log file 'error.log': Ignoring deprecated use of 
DefaultType in line 398 of httpd.conf.  Changes: 
This problem has been fixed.
 
 Issue 4154: Web Client JAR signing 
certificate (Applet) expires June 01, 2016.  Changes: 
The new JAR signing certificate will now expire June 01, 2018.
 
 Issue 4233: Regarding the SHR- user 
prefix which denotes a shared user within the Web Client, if SHR is used 
anywhere within a Web Client user name, then it is considered same as SHR- user 
prefix, which is incorrect.  Changes: 
This problem has been fixed.
 
 Issue 4235: Web Client does not 
display correctly using IE 11, version 11.0.34.  Changes: 
Regarding IE 11, documentation will be updated to say that Web Client only 
supports IE 11, version 11.0.35 or later.
 
 Issue 4236: Update Web Client, 
including online help and installation guide, to reflect the new Ipswitch 
branding format, including color scheme and logos displayed.  Changes: 
Web Client and all supporting documentation has been updated to reflect the new 
One Ipswitch brand format.  The previous Ipswitch logos were width 106, the 
new Ipswitch logos are now width 154, which may impact custom branding.
 
 Issue 4237: A Web Client user should 
only be able to change their own password using the Change Password screen.  Changes: 
This problem has been fixed.
 
 Issue 4245: A security scan of Web Client 
listeners reveals potentially vulnerable protocols.  Changes: 
File httpd-ssl.conf has been changed to only support TLS version 
1.2 by default.  This file can be modified to allow other TLS protocols if 
needed.
 
 Issue 4247: Need to upgrade versions 
of Apache, OpenSSL and FIPS shipped with Web Client install.  Changes: 
Apache is now version 2.4.20 using OpenSSL 1.0.2j with FIPS 2.0.12.
 
 Issue 4258: Update Web Client to use 
new MessageWay test certificate.  Changes: 
This problem has been fixed.
 ( June 26, 2015
) Issues closed in
mwweb-6.0.0-mr01-linux
  
   IMPORTANT NOTE about Security Updates for this release (Issue-4035):MessageWay Web ClientWeb Client now includes the Apache HTTP Server 2.4.12 using 
OpenSSL 1.0.1m with FIPS 2.0.9 releases.
 
 They address the following higher profile vulnerabilities and many others 
that can be found in the release notes on the Apache.org and Openssl.org sites.
 
 CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not 
vulnerable to the issue outlined in this CVE report.
 CVE-2014-0224, 
SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to 
address this vulnerability.
 CVE-2014-3566, POODLE 
vulnerability, MessageWay no longer supports the SSLv3 protocol for secure 
sessions.
 CVE-2015-0204, FREAK vulnerability, the OpenSSL 
0.9.8.ze version contains the updates to address this vulnerability.
 
 Issue 650: 
Web Client erroneously uploads to default recipient when default location is 
manually set as Recipient on Upload page.  Changes: 
The program now correctly considers the recipient set on the upload page as the 
destination.
 
 Issue 
2458: Web Client needs to be compatible with File System.  Changes: 
When a user is associated with the File System, only the Available and Uploaded 
tabs are visible.  Further enhancements in File System directory navigation 
within a File System user directory path will be considered for subsequent versions.
 
 Issue 
  3061: The Mongrel management port 3000 is accessible and 
Web Client login page is displayed on port 3000..  Changes: This problem has been fixed.
 
 Issue 
3835: Getting a error saying "Please enter valid
Recipient."  when in non-java mode if a location like '<Location 
name>', which contains a space, is configured.  Changes: 
This problem has been fixed.
 
 Issue 3910: Changes made to the 
configuration are not being used.  Changes: The web client 
installer created an additional configuration file: 
/opt/messageway/webclient/mwsiproxy/mwsipx.conf.  The 
/etc/messageway/mwsiproxy.conf file is the one used by the application.  The 
/opt/messageway/webclient/mwsiproxy/mwsipx.conf. file has been 
removed from the install.
 
 Issue 3929: MessageWay Web Client Applet not closing the 
uploaded file. 
Changes: This problem has been fixed.
 
 Issue 
3944:   
On the new MessageWay 6.0 login screen, we do not have a ‘Password 
Change’ option. The password change option only shows up after a successful 
logon, so when the password is expired there seems to be no way for the user to 
change their password from the login screen.  Changes: 
From the logon screen, a user will be prompted to change their password when it 
has expired or set to change on next logon.
 
 Issue 
3952:  
User can logon to web client but cannot change password if “Access 
Class” is configured.  Changes:  
This problem has been fixed.
 
 Issue 3956: Download 
a message that has 'Contents Deleted On Complete/Cancel' causes mwsi to crash.  Changes: This problem has been fixed.
 
 Issue 3982: The 
change password process is not intuitive.  Can password rules be added to guide 
the user?  Changes: The configuration can be updated by 
the administrator to reflect the policies defined in MessageWay.  This text 
will be displayed for the end user on the password change screen.
 
 Issue 3985: MWSIProxy 
stopped working while downloading multiple messages.  
Changes: This problem has been fixed.
 
 Issue 4003: We 
would like to configure the failed logon response.  Changes: The configuration can be updated by the administrator to 
customize the failed logon response.  This text will be displayed for the 
end user.
 
 Issue 4011: In 
Non-Java mode, messages selected to download as text hang and do not complete.  Changes: This problem has been fixed.
 
 Issue 4018: Provide 
an option to restrict the web client to Non-Java only mode.  
Changes: The configuration can be set to restrict the mode of operation 
to Non-Java only.
 
 Issue 4019: Recognition 
of running in Java mode or Non-Java mode at the browser is not consistent.  
Changes: This problem has been fixed.
 
 Issue 4024: Would like the 
Non-Java mode file transfer size restriction displayed at the browser.  Changes: The file transfer size restrictions are now displayed 
when in Non-Java mode.
 
 Issue 4035: 
Upgrade the Apache version distributed with Web Client.  Changes: 
See the 'IMPORTANT NOTE about Security' listed above.
  ( June 26, 2015
) Issues closed in
MessageWay 6.0.0 hf04 and MessageWay 6.1.0 mr03 to support this maintenance 
release. 
 |