===============================================================================
Maintenance for Sterling External Authentication Server (SEAS)
===============================================================================
 
This maintenance archive includes last GA release of SEAS 2.4.0 plus fixes
for the issues mentioned below.


===============================================================================
Fixes for SEAS 2.4.0 Patch 3, Build 94 (August 2012)
Full descriptions below.
===============================================================================

  RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack.


===============================================================================
Fixes for SEAS 2.4.0 Patch 2, Build 92 (December 2011)
Full descriptions below.
===============================================================================

  QC20062 - Password Change parameters not saved


===============================================================================
Fixes for SEAS 2.4.0 Patch 1, Build 91 (October 2011)

===============================================================================

  QC19229 - Sockets not timing out properly during CRL processing.

  QC19518 - Webstart fails to start with missing Jar file exception


===============================================================================
Detailed Descriptions of Fixes for SEAS
===============================================================================

  QC19229 - Sockets not timing out properly during CRL processing.

      An uncaptured exception was causing sockets not to time out properly
      during CRL processing

      Resolution:  Added code to catch the exception and log it in the trace.

  QC19518 - Webstart fails to start with missing Jar file exception

      Launching SEAS GUI thru webstart gives error:
         com.sun.deploy.net.FailedDownloadException: Unable to load resource:
             http://servername:9080/lib/thirdparty/help-share.jar

      Resolution:  Corrected the list of jar files in the EA_GUI.jnlp file
      to match what is being shipped. 5 defunct filenames were replaced with
      3 updated ones.

  QC20062 - Password Change parameters not saved

      Password Change parameters were not being saved during a GUI session.

      Resolution:  Corrected code that was turning off the checkbox during
      Change Password processing.


  RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack.

      IBM internal research detected that Jetty was vulnerable to a type of
      denial of service (DOS) attack when the number of HTTP header parameters
      was high (in the tens of thousands).

      Resolution:  Implemented fix from Jetty Eclipse which enforces a maximum
      number of keys in the HTTP header of 1000.  The default can be adjusted
      by adding the Java system property to the startEngine.sh or startCM.sh
      startup scripts:
         -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000