MessageWay Web Client Maintenance Release
Maintenance Release Name:
mwweb-6.0.0-mr04-solaris
Release date: March 24, 2020
Prerequisite: MessageWay
6.1.0 mr03 or later, Solaris version 10 or later
Obsoletes Maintenance Releases : mwweb-6.0.0-mr01-solaris
& mwweb-6.0.0-mr02-solaris & mwweb-6.0.0-mr03-solaris.
Files:
This maintenance release contains the files listed below:
Files contained in this Maintenance Release package,
mwweb-6.0.0-mr04-solaris-install.tgz:
|
mwweb-6.0.0-mr04-solaris-install.bin |
Install program |
| MessageWay Web
Client Installation and Configuration.pdf |
Web Client documentation |
|
mwweb-6.0.0-mr04-solaris_readme.html |
This Readme file |
Files changed in previous Hotfixes and rolled into this
Maintenance Release:
|
mwweb-6.0.0.mr03-solaris-install.bin |
Install program |
|
mwweb-6.0.0.mr02-solaris-install.bin |
Install program |
|
mwweb-6.0.0-mr01-solaris-install.bin |
Install program |
Installing the MessageWay Web
Client Maintenance Release:
1) Download the
Maintenance Release install tar file
(mwweb-6.0.0-mr04-solaris-install.tgz).
2) Unzip the mwweb-6.0.0-mr04-solaris-install.tgz file:
gunzip mwweb-6.0.0-mr04-solaris-install.tgz
3) Untar the mwweb-6.0.0-mr04-solaris-install.tar file:
tar -xvf mwweb-6.0.0-mr04-solaris-install.tar
4) Step
3 will automatically create a new subdirectory named
mwweb-6.0.0-mr04-solaris-install.
5) cd to the newly created mwweb-6.0.0-mr04-solaris-install
subdirectory.
6) Review and perform the sections 'Pre-installation
Tasks', 'Uninstall the Web Client' and 'Install
the Web Client' in the MessageWay Web Client
Installation and Configuration.pdf included in this package to
manage the transition to this maintenance release.
INSTALL NOTE: File stylesheet.css changed in MR03, and file httpd.conf changed
in both MR03 & MR04. If you have made any changes to either of these
files, you will need to merge your backed up changes into the MR04 version
of these files (or vice versa).
Regarding stylesheet.css, search for
second_ex to see the new DIV that was added in MR03 to support
displaying of remaining Idle Timeout value.
Regarding httpd.conf,
search for both MR03 & MR04 to see new
Apache security directives added in MR03 & MR04.
( March 24, 2020
) Issues closed in
mwweb-6.0.0-mr04-solaris
IMPORTANT NOTE about Security Updates for this release:
Web Client now includes the Apache HTTP Server 2.4.41 using OpenSSL 1.0.2s (LTS version) and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the Openssl.org site.
Specifically, see the
following link for further details about this release of Apache HTTP Server:
https://httpd.apache.org/security/vulnerabilities_24.html
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay Web Client
Issue 4189: MWSIProxy stops
uploading and/or downloading messages for no apparent reason. Changes:
This problem has been fixed.
Issue 4442: A PCI security scan shows that
Web Client is vulnerable to Cross-Site Request Forgery. Changes:
This problem has been fixed.
Issue 4443: A PCI security scan
shows that Web Client is vulnerable to HTTP Reverse Proxy Detection
and Apache Server ETag Header Information Disclosure. Changes:
The httpd.conf file has been updated to include multiple Apache directives that resolve these security vulnerabilities.
Issue 4444: Update Web Client to
latest version of Apache to resolve multiple CVE security issues. Changes:
Web Client is now using Apache HTTP Server 2.4.41 using OpenSSL 1.0.2s (LTS
version) and FIPS 2.0.16 releases.
Issue 4460: Certify that Web Client works with the Microsoft Edge
browser. Changes: Web Client has been QA tested to work with
the Microsoft Edge browser.
MessageWay Web Client Documentation
Issue 4429: Documentation still shows
examples of Perform Message Actions access right, which was
deprecated in MessageWay 6.1 MR04. Changes:
This problem has been fixed.
Issue 4430: Documentation does not
properly explain that Web Client's Related Messages function
does not work the same way as MessageWay Manager's Get Related Messages
function. Changes:
This problem has been fixed.
( March 16, 2018 ) Issues closed in
mwweb-6.0.0-mr03-solaris
IMPORTANT NOTE about JAVA versions supported for this release:
Web Client no longer supports JAVA 1.7. If your browser is using
JAVA 1.7, it must be upgraded to use JAVA 1.8.
IMPORTANT NOTE about Security Updates for this release:
Web Client now includes the Apache HTTP Server 2.4.29 using OpenSSL 1.0.2n (LTS version) and FIPS 2.0.16 releases.
They
address many vulnerabilities that can be
found in the release notes on the Openssl.org site.
Specifically, see the
following link for further details about this release of Apache HTTP Server:
https://httpd.apache.org/security/vulnerabilities_24.html
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf
MessageWay Web Client
Issue 4333: The Upload Message
screen does not reset the Logon Idle timer value, and once Logon Idle timer
value is exceeded, user is not returned back to Logon screen, but is left in an
unresponsive state on the Upload Message screen. Changes:
This problem has been fixed. NOTE: Web Client is now
shipped with the remaining Logon Idle timer value displayed in the top left
corner of most screens, which counts down to zero before returning you to the
Logon screen. If you do not want this value displayed, refer to section 'Enabling or Disabling Remaining Logon Idle Timer Display' in MessageWay
Web Client Installation and Configuration.pdf.
Issue 4336: Web Client incorrectly allows a user
to Cancel a message in a Completed state in the Uploaded tab (list of messages
uploaded by this Web Client user). Changes:
This problem has been fixed.
Issue 4337: Web Client incorrectly
requires you to have Upload Rights on your Default Location in order to upload
to other locations. Changes:
Web Client now follows best practice of requiring only download rights on
Default Location and only upload rights on locations you want to upload to.
Issue 4339: Web Client fails PCI scan
for security vulnerabilities. Changes:
The httpd.conf file has been updated to include multiple Apache directives
intended to resolve these security vulnerabilities.
Issue 4344: Update Web Client to
latest version of Apache to resolve multiple CVE security fixes. Changes:
Web Client is now using Apache HTTP Server 2.4.29 using OpenSSL 1.0.2n (LTS
version) and FIPS 2.0.16 releases.
( December 14, 2016
) Issues closed in
mwweb-6.0.0-mr02-solaris
IMPORTANT NOTE about Security Updates for this release:
Web Client now includes the Apache HTTP Server 2.4.20 using OpenSSL 1.0.2j (LTS version) and FIPS 2.0.12 releases.
They
address many vulnerabilities that can be
found in the release notes on the Openssl.org site.
Specifically, see the
following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html
Specifically, see the following link for further details about this release of
FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf
MessageWay Web Client
Issue 3879: On the Upload Message
screen, Recipient field is not automatically filled in. Changes:
The documentation has been updated to reflect that if you want the Recipient
field to be automatically filled in, you need to specify a Default Recipient for
the Web Client user in the MessageWay User Properties Locations tab using the
Manager.
Issue 3973: Unable to download a
message in NON-JAVA mode using IE8 browser. Changes:
This problem has been fixed.
Issue 3985: MWSIProxy stops working
after multiple file downloads. Changes:
A memory initialization issue was found and fixed.
Issue 4134: Web Client start up script
incorrectly displays 'MessageWay Web Client Mongrel...Stopping'. Changes:
This problem has been fixed.
Issue 4137: Web Client
sessions that run over slow networks and/or with browsers that run on older
systems encounter inconsistent results and loss of connection. Changes:
The default timeouts configured in the Web Client have been increased to 5
minutes. This allows connections to older systems or over slow networks to
be more resilient.
Issue 4138: The following warning is
written to the Apache log file 'error.log': Ignoring deprecated use of
DefaultType in line 398 of httpd.conf. Changes:
This problem has been fixed.
Issue 4154: Web Client JAR signing
certificate (Applet) expires June 01, 2016. Changes:
The new JAR signing certificate will now expire June 01, 2018.
Issue 4233: Regarding the SHR- user
prefix which denotes a shared user within the Web Client, if SHR is used
anywhere within a Web Client user name, then it is considered same as SHR- user
prefix, which is incorrect. Changes:
This problem has been fixed.
Issue 4235: Web Client does not
display correctly using IE 11, version 11.0.34. Changes:
Regarding IE 11, documentation will be updated to say that Web Client only
supports IE 11, version 11.0.35 or later.
Issue 4236: Update Web Client,
including online help and installation guide, to reflect the new Ipswitch
branding format, including color scheme and logos displayed. Changes:
Web Client and all supporting documentation has been updated to reflect the new
One Ipswitch brand format. The previous Ipswitch logos were width 106, the
new Ipswitch logos are now width 154, which may impact custom branding.
Issue 4237: A Web Client user should
only be able to change their own password using the Change Password screen. Changes:
This problem has been fixed.
Issue
4245: A security scan of Web Client listeners reveals
potentially vulnerable protocols. Changes: File httpd-ssl.conf
has been changed to only support TLS V1.2 by default. This file can be
modified to allow other TLS protocols if needed.
Issue 4247: Need to upgrade versions
of Apache, OpenSSL and FIPS shipped with Web Client install. Changes:
Apache is now version 2.4.20 using OpenSSL 1.0.2j with FIPS 2.0.12.
Issue 4258: Update Web Client to use
new MessageWay test certificate. Changes:
This problem has been fixed.
Known issue: The TLS V1.2 only
configuration parameter in mwsi.conf can not be used between the Web Client and
the MessageWay Service Interface (MWSI).
( June 26, 2015 ) Issues closed in
mwweb-6.0.0-mr01-solaris
IMPORTANT NOTE about Security Updates for this release (Issue-4035):
Web Client now includes the Apache HTTP Server 2.4.12 using
OpenSSL 1.0.1m with FIPS 2.0.9 releases.
They address the following higher profile vulnerabilities and many others
that can be found in the release notes on the Apache.org and Openssl.org sites.
CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not
vulnerable to the issue outlined in this CVE report.
CVE-2014-0224,
SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to
address this vulnerability.
CVE-2014-3566, POODLE
vulnerability, MessageWay no longer supports the SSLv3 protocol for secure
sessions.
CVE-2015-0204, FREAK vulnerability, the OpenSSL
0.9.8.ze version contains the updates to address this vulnerability.
MessageWay Web Client
Issue 650:
Web Client erroneously uploads to default recipient when default location is
manually set as Recipient on Upload page. Changes:
The program now correctly considers the recipient set on the upload page as the
destination.
Issue
2458: Web Client needs to be compatible with File System. Changes:
When a user is associated with the File System, only the Available and Uploaded
tabs are visible. Further enhancements in File System directory navigation
within a File System user directory path will be considered for subsequent versions.
Issue
3061: The Mongrel management port 3000 is accessible and
Web Client login page is displayed on port 3000.. Changes: This problem has been fixed.
Issue
3835: Getting a error saying "Please enter valid
Recipient." when in non-java mode if a location like '<Location
name>', which contains a space, is configured. Changes:
This problem has been fixed.
Issue 3910: Changes made to the
configuration are not being used. Changes: The web client
installer created an additional configuration file:
/opt/messageway/webclient/mwsiproxy/mwsipx.conf. The
/etc/messageway/mwsiproxy.conf file is the one used by the application. The
/opt/messageway/webclient/mwsiproxy/mwsipx.conf. file has been
removed from the install.
Issue 3929: MessageWay Web Client Applet not closing the
uploaded file.
Changes: This problem has been fixed.
Issue
3944:
On the new MessageWay 6.0 login screen, we do not have a ‘Password
Change’ option. The password change option only shows up after a successful
logon, so when the password is expired there seems to be no way for the user to
change their password from the login screen. Changes:
From the logon screen, a user will be prompted to change their password when it
has expired or set to change on next logon.
Issue
3952:
User can logon to web client but cannot change password if “Access
Class” is configured. Changes:
This problem has been fixed.
Issue 3956: Download
a message that has 'Contents Deleted On Complete/Cancel' causes mwsi to crash. Changes: This problem has been fixed.
Issue 3982: The
change password process is not intuitive. Can password rules be added to guide
the user? Changes: The configuration can be updated by
the administrator to reflect the policies defined in MessageWay. This text
will be displayed for the end user on the password change screen.
Issue 3985: MWSIProxy
stopped working while downloading multiple messages. Changes: This problem has been fixed.
Issue 4003: We
would like to configure the failed logon response. Changes: The configuration can be updated by the administrator to
customize the failed logon response. This text will be displayed for the
end user.
Issue 4011: In
Non-Java mode, messages selected to download as text hang and do not complete. Changes: This problem has been fixed.
Issue 4018: Provide
an option to restrict the web client to Non-Java only mode.
Changes: The configuration can be set to restrict the mode of operation
to Non-Java only.
Issue 4019: Recognition
of running in Java mode or Non-Java mode at the browser is not consistent.
Changes: This problem has been fixed.
Issue 4024: Would like the
Non-Java mode file transfer size restriction displayed at the browser. Changes: The file transfer size restrictions are now displayed
when in Non-Java mode.
Issue 4035:
Upgrade the Apache version distributed with Web Client. Changes:
See the 'IMPORTANT NOTE about Security' listed above. ( June 26, 2015
) Issues closed in
MessageWay 6.0.0 hf04 and MessageWay 6.1.0 mr03 to support this maintenance
release.
|
