=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) =============================================================================== This maintenance archive includes last GA release of SEAS 2.4.0 plus fixes for the issues mentioned below. ================================================================= Fixes for SEAS 2.4.04 Patch 4, Build 94 (December 2012) ================================================================= RTC336420/IC85514 - Fast wakeup condition detected RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC349165/IC86628 - CRL checking fails after JRE upgrade =============================================================================== Fixes for SEAS 2.4.0 Patch 3, Build 93 (August 2012) Full descriptions below. =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== Fixes for SEAS 2.4.0 Patch 2, Build 92 (December 2011) Full descriptions below. =============================================================================== QC20062 - Password Change parameters not saved =============================================================================== Fixes for SEAS 2.4.0 Patch 1, Build 91 (October 2011) =============================================================================== QC19229 - Sockets not timing out properly during CRL processing. QC19518 - Webstart fails to start with missing Jar file exception =============================================================================== Detailed Descriptions of Fixes for SEAS =============================================================================== QC19229 - Sockets not timing out properly during CRL processing. An uncaptured exception was causing sockets not to time out properly during CRL processing Resolution: Added code to catch the exception and log it in the trace. QC19518 - Webstart fails to start with missing Jar file exception Launching SEAS GUI thru webstart gives error: com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://servername:9080/lib/thirdparty/help-share.jar Resolution: Corrected the list of jar files in the EA_GUI.jnlp file to match what is being shipped. 5 defunct filenames were replaced with 3 updated ones. QC20062 - Password Change parameters not saved Password Change parameters were not being saved during a GUI session. Resolution: Corrected code that was turning off the checkbox during Change Password processing. RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000