Ipswitch, Inc.
www.ipswitch.com
1-678-287-0700


MessageWay Web Client Maintenance Release

Maintenance Release Name:     mwweb-6.0.0-mr04-solaris

Release date:    March 24, 2020

Prerequisite:     MessageWay 6.1.0 mr03 or later, Solaris version 10 or later

Obsoletes Maintenance Releases : mwweb-6.0.0-mr01-solaris & mwweb-6.0.0-mr02-solaris & mwweb-6.0.0-mr03-solaris.

Files:  This maintenance release contains the files listed below:

  Files contained in this Maintenance Release package,  mwweb-6.0.0-mr04-solaris-install.tgz:

    mwweb-6.0.0-mr04-solaris-install.bin Install program
    MessageWay Web Client Installation and Configuration.pdf Web Client documentation
    mwweb-6.0.0-mr04-solaris_readme.html This Readme file

  Files changed in previous Hotfixes and rolled into this Maintenance Release:
    mwweb-6.0.0.mr03-solaris-install.bin  Install program
    mwweb-6.0.0.mr02-solaris-install.bin  Install program
    mwweb-6.0.0-mr01-solaris-install.bin Install program

Installing the MessageWay Web Client Maintenance Release:

1) Download the Maintenance Release install tar file (mwweb-6.0.0-mr04-solaris-install.tgz).
2) Unzip the mwweb-6.0.0-mr04-solaris-install.tgz file: gunzip mwweb-6.0.0-mr04-solaris-install.tgz
3) Untar the mwweb-6.0.0-mr04-solaris-install.tar file: tar -xvf mwweb-6.0.0-mr04-solaris-install.tar
4) Step 3 will automatically create a new subdirectory named mwweb-6.0.0-mr04-solaris-install.
5) cd to the newly created mwweb-6.0.0-mr04-solaris-install subdirectory.
6) Review and perform the sections 'Pre-installation Tasks', 'Uninstall the Web Client' and 'Install the Web Client' in the MessageWay Web Client Installation and Configuration.pdf included in this package to manage the transition to this maintenance release.

INSTALL NOTE: File stylesheet.css changed in MR03, and file httpd.conf changed in both MR03 & MR04.  If you have made any changes to either of these files, you will need to merge your backed up changes into the MR04 version of these files (or vice versa).

Regarding stylesheet.css, search for second_ex to see the new DIV that was added in MR03 to support displaying of remaining Idle Timeout value.

Regarding httpd.conf, search for both MR03 & MR04 to see new Apache security directives added in MR03 & MR04.

( March 24, 2020 ) Issues closed in mwweb-6.0.0-mr04-solaris

IMPORTANT NOTE about Security Updates for this release:
Web Client now includes the Apache HTTP Server 2.4.41 using OpenSSL 1.0.2s (LTS version) and FIPS 2.0.16 releases.

They address many vulnerabilities that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of Apache HTTP Server:
https://httpd.apache.org/security/vulnerabilities_24.html

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf

MessageWay Web Client

Issue 4189:
MWSIProxy stops uploading and/or downloading messages for no apparent reason.  Changes: This problem has been fixed.

Issue 4442: A PCI security scan shows that Web Client is vulnerable to Cross-Site Request Forgery.  Changes: This problem has been fixed.

Issue 4443:  A PCI security scan shows that Web Client is vulnerable to HTTP Reverse Proxy Detection and Apache Server ETag Header Information DisclosureChanges: The httpd.conf file has been updated to include multiple Apache directives that resolve these security vulnerabilities.

Issue 4444: Update Web Client to latest version of Apache to resolve multiple CVE security issues.  Changes: Web Client is now using Apache HTTP Server 2.4.41 using OpenSSL 1.0.2s (LTS version) and FIPS 2.0.16 releases.

Issue 4460: Certify that Web Client works with the Microsoft Edge browser.  Changes: Web Client has been QA tested to work with the Microsoft Edge browser.

MessageWay Web Client Documentation

Issue 4429: Documentation still shows examples of Perform Message Actions access right, which was deprecated in MessageWay 6.1 MR04.  Changes: This problem has been fixed.

Issue 4430:
Documentation does not properly explain that Web Client's Related Messages function does not work the same way as MessageWay Manager's Get Related Messages function.  Changes: This problem has been fixed.

( March 16, 2018 ) Issues closed in mwweb-6.0.0-mr03-solaris

IMPORTANT NOTE about JAVA versions supported for this release:
Web Client no longer supports JAVA 1.7.  If your browser is using JAVA 1.7, it must be upgraded to use JAVA 1.8.

IMPORTANT NOTE about Security Updates for this release:
Web Client now includes the Apache HTTP Server 2.4.29 using OpenSSL 1.0.2n (LTS version) and FIPS 2.0.16 releases.

They address many vulnerabilities that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of Apache HTTP Server:
https://httpd.apache.org/security/vulnerabilities_24.html

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.16.pdf

MessageWay Web Client

Issue 4333:
The Upload Message screen does not reset the Logon Idle timer value, and once Logon Idle timer value is exceeded, user is not returned back to Logon screen, but is left in an unresponsive state on the Upload Message screen.  Changes: This problem has been fixed.  NOTE: Web Client is now shipped with the remaining Logon Idle timer value displayed in the top left corner of most screens, which counts down to zero before returning you to the Logon screen.  If you do not want this value displayed, refer to section 'Enabling or Disabling Remaining Logon Idle Timer Display' in MessageWay Web Client Installation and Configuration.pdf.

Issue 4336: Web Client incorrectly allows a user to Cancel a message in a Completed state in the Uploaded tab (list of messages uploaded by this Web Client user).  Changes: This problem has been fixed.

Issue 4337: Web Client incorrectly requires you to have Upload Rights on your Default Location in order to upload to other locations.  Changes: Web Client now follows best practice of requiring only download rights on Default Location and only upload rights on locations you want to upload to.

Issue 4339: Web Client fails PCI scan for security vulnerabilities.  Changes: The httpd.conf file has been updated to include multiple Apache directives intended to resolve these security vulnerabilities.

Issue 4344: Update Web Client to latest version of Apache to resolve multiple CVE security fixes.  Changes: Web Client is now using Apache HTTP Server 2.4.29 using OpenSSL 1.0.2n (LTS version) and FIPS 2.0.16 releases.

( December 14, 2016 ) Issues closed in mwweb-6.0.0-mr02-solaris

IMPORTANT NOTE about Security Updates for this release:
Web Client now includes the Apache HTTP Server 2.4.20 using OpenSSL 1.0.2j (LTS version) and FIPS 2.0.12 releases.

They address many vulnerabilities that can be found in the release notes on the Openssl.org site.

Specifically, see the following link for further details about this release of OpenSSL:
https://www.openssl.org/news/openssl-1.0.2-notes.html

Specifically, see the following link for further details about this release of FIPS:
https://www.openssl.org/docs/fips/SecurityPolicy-2.0.12.pdf

MessageWay Web Client

Issue 3879:
On the Upload Message screen, Recipient field is not automatically filled in.  Changes: The documentation has been updated to reflect that if you want the Recipient field to be automatically filled in, you need to specify a Default Recipient for the Web Client user in the MessageWay User Properties Locations tab using the Manager.

Issue 3973: Unable to download a message in NON-JAVA mode using IE8 browser.  Changes: This problem has been fixed.

Issue 3985: MWSIProxy stops working after multiple file downloads.  Changes: A memory initialization issue was found and fixed.

Issue 4134: Web Client start up script incorrectly displays 'MessageWay Web Client Mongrel...Stopping'.  Changes: This problem has been fixed.

Issue 4137: Web Client sessions that run over slow networks and/or with browsers that run on older systems encounter inconsistent results and loss of connection.  Changes: The  default timeouts configured in the Web Client have been increased to 5 minutes.  This allows connections to older systems or over slow networks to be more resilient.

Issue 4138: The following warning is written to the Apache log file 'error.log': Ignoring deprecated use of DefaultType in line 398 of httpd.conf.  Changes: This problem has been fixed.

Issue 4154: Web Client JAR signing certificate (Applet) expires June 01, 2016.  Changes: The new JAR signing certificate will now expire June 01, 2018.

Issue 4233: Regarding the SHR- user prefix which denotes a shared user within the Web Client, if SHR is used anywhere within a Web Client user name, then it is considered same as SHR- user prefix, which is incorrect.  Changes: This problem has been fixed.

Issue 4235: Web Client does not display correctly using IE 11, version 11.0.34.  Changes: Regarding IE 11, documentation will be updated to say that Web Client only supports IE 11, version 11.0.35 or later.

Issue 4236: Update Web Client, including online help and installation guide, to reflect the new Ipswitch branding format, including color scheme and logos displayed.  Changes: Web Client and all supporting documentation has been updated to reflect the new One Ipswitch brand format.  The previous Ipswitch logos were width 106, the new Ipswitch logos are now width 154, which may impact custom branding.

Issue 4237: A Web Client user should only be able to change their own password using the Change Password screen.  Changes: This problem has been fixed.

Issue 4245: A security scan of Web Client listeners reveals potentially vulnerable protocols.  Changes: File httpd-ssl.conf has been changed to only support TLS V1.2 by default.  This file can be modified to allow other TLS protocols if needed.

Issue 4247: Need to upgrade versions of Apache, OpenSSL and FIPS shipped with Web Client install.  Changes: Apache is now version 2.4.20 using OpenSSL 1.0.2j with FIPS 2.0.12.

Issue 4258: Update Web Client to use new MessageWay test certificate.  Changes: This problem has been fixed.

Known issue: The TLS V1.2 only configuration parameter in mwsi.conf can not be used between the Web Client and the MessageWay Service Interface (MWSI).

( June 26, 2015 ) Issues closed in mwweb-6.0.0-mr01-solaris

IMPORTANT NOTE about Security Updates for this release (Issue-4035):
Web Client now includes the Apache HTTP Server 2.4.12 using OpenSSL 1.0.1m with FIPS 2.0.9 releases.

They address the following higher profile vulnerabilities and many others that can be found in the release notes on the Apache.org and Openssl.org sites.

CVE-2014-0160, Heartbleed vulnerability, the OpenSSL 0.9.8.ze is not vulnerable to the issue outlined in this CVE report.
CVE-2014-0224, SSL/TLS MITM vulnerability, the OpenSSL 0.9.8.ze version contains the updates to address this vulnerability.
CVE-2014-3566, POODLE vulnerability, MessageWay no longer supports the SSLv3 protocol for secure sessions.
CVE-2015-0204, FREAK vulnerability, the OpenSSL 0.9.8.ze version contains the updates to address this vulnerability.

MessageWay Web Client

Issue 650:
Web Client erroneously uploads to default recipient when default location is manually set as Recipient on Upload page.  Changes: The program now correctly considers the recipient set on the upload page as the destination.

Issue 2458: Web Client needs to be compatible with File System.  Changes: When a user is associated with the File System, only the Available and Uploaded tabs are visible.  Further enhancements in File System directory navigation within a File System user directory path will be considered for subsequent versions.

Issue 3061: The Mongrel management port 3000 is accessible and Web Client login page is displayed on port 3000..  Changes: This problem has been fixed.

Issue 3835: Getting a error saying "Please enter valid Recipient."  when in non-java mode if a location like '<Location name>', which contains a space, is configured.  Changes: This problem has been fixed.

Issue 3910:
Changes made to the configuration are not being used.  Changes: The web client installer created an additional configuration file: /opt/messageway/webclient/mwsiproxy/mwsipx.conf.  The /etc/messageway/mwsiproxy.conf file is the one used by the application.  The /opt/messageway/webclient/mwsiproxy/mwsipx.conf. file has been removed from the install.

Issue 3929:
MessageWay Web Client Applet not closing the uploaded file.  Changes: This problem has been fixed.

Issue 3944:
On the new MessageWay 6.0 login screen, we do not have a ‘Password Change’ option. The password change option only shows up after a successful logon, so when the password is expired there seems to be no way for the user to change their password from the login screen.  Changes: From the logon screen, a user will be prompted to change their password when it has expired or set to change on next logon.

Issue 3952:
User can logon to web client but cannot change password if “Access Class” is configured.  Changes: This problem has been fixed.

Issue 3956:
 Download a message that has 'Contents Deleted On Complete/Cancel' causes mwsi to crash.  Changes: This problem has been fixed. 

Issue 3982: 
The change password process is not intuitive.  Can password rules be added to guide the user?  Changes: The configuration can be updated by the administrator to reflect the policies defined in MessageWay.  This text will be displayed for the end user on the password change screen.

Issue 3985: 
MWSIProxy stopped working while downloading multiple messages.  Changes: This problem has been fixed.

Issue 4003: 
We would like to configure the failed logon response.  Changes: The configuration can be updated by the administrator to customize the failed logon response.  This text will be displayed for the end user.

Issue 4011:
 In Non-Java mode, messages selected to download as text hang and do not complete.  Changes: This problem has been fixed.

Issue 4018: 
Provide an option to restrict the web client to Non-Java only mode.  Changes: The configuration can be set to restrict the mode of operation to Non-Java only.

Issue 4019: 
Recognition of running in Java mode or Non-Java mode at the browser is not consistent.  Changes: This problem has been fixed.

Issue 4024: 
Would like the Non-Java mode file transfer size restriction displayed at the browser.  Changes: The file transfer size restrictions are now displayed when in Non-Java mode.

Issue 4035:
Upgrade the Apache version distributed with Web Client.  Changes: See the 'IMPORTANT NOTE about Security' listed above.

 ( June 26, 2015 ) Issues closed in MessageWay 6.0.0 hf04 and MessageWay 6.1.0 mr03 to support this maintenance release. 


MessageWay 6.0.0 hf04 and MessageWay 6.1.0 mr03:


Issue 3931:
Line ending characters not changing to the native platform values for text mode uploads via Web Client 6.0.  Changes: This problem has been fixed.

Issue 3933: Users are not restricted to access MessageWay using “Access Class” via Web Client 6.0.  Changes: This problem has been fixed.

Issue 3959: When uploading a message via Web Client 6.0, the location name entered in the Recipient: field must be entered in same case as defined in MessageWay or message payload is put in wrong place and not able to be viewed, processed or downloaded.  Changes: This problem has been fixed.

Issue 3964: Trailing line ending character being incorrectly removed for text mode uploads via Web Client 6.0 when no line ending conversion is required.  Changes: This problem has been fixed.

Issue 3966:
Web Client 6.0 does not populate Output Name attribute in Manager when a message is downloaded.  Changes: Output Name now gets set to the remote name specified during the download.

Issue 3969:
Web Client 6.0 incorrectly displays 'Password Change Failure' dialog box when in fact the password was successfully changed in MessageWay.  Changes: This problem has been fixed.

MessageWay 6.1.0 mr03 only:

Issue 3916:
Web Client 6.0 does not work with file system hierarchy in MWay 6.1.  Changes: When a user is associated with the File System, available messages will be listed and messages can be uploaded and downloaded.  Navigation issues within a File System user directory path will be addressed in later versions.

Issue 3926:
Web Client 6.0 does not behave the same way as MWFTPD Server when a duplicate file name is uploaded to the file system hierarchy added in MWay 6.1.  Changes: If a second file with the same name is uploaded to a file system hierarchy location, the first file will be canceled and the second file will be accepted for upload.
 

Ipswitch, Inc. | 1-678-287-0700