===============================================================================
Maintenance for Sterling External Authentication Server (SEAS)
===============================================================================
 
This maintenance archive includes last GA release of SEAS 2.4.1.0 plus fixes
for the issues mentioned below.


===============================================================================
Fixes for SEAS 2.4.1.0 Patch 1, Build 54 (August 2012)
Full descriptions below.
===============================================================================

  RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack.


===============================================================================
Detailed Descriptions of Fixes for SEAS
===============================================================================

  RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack.

      IBM internal research detected that Jetty was vulnerable to a type of
      denial of service (DOS) attack when the number of HTTP header parameters
      was high (in the tens of thousands).

      Resolution:  Implemented fix from Jetty Eclipse which enforces a maximum
      number of keys in the HTTP header of 1000.  The default can be adjusted
      by adding the Java system property to the startEngine.sh or startCM.sh
      startup scripts:
         -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000