iChain 2.2 Support Pack 1 Now Available
Novell Cool Solutions: Feature
Digg This -
Posted: 18 Jul 2003
iChain 2.2 Support Pack 1 - Version 2.2.084
This file contains updates for services contained in the iChain 2.2 product. The purpose of the patch is to provide a bundle of enhancements and fixes for issues that have surfaced since iChain 2.2 shipped. It is not recommended to install individual files from the patch.
To download the Support Pack and get the official installation instructions, go here: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm
Fixes/Enhancements in this Support Pack (Since ic22fp1a.exe):
- Security Alerts:
- Redirect information in URL must now match an accelerator DNS name. Prevents redirects to a malicious site.
- When using a non-existent user, the timeout was shorter than an existing user with a wrong password.
- SSO Abends when unloaded before LogOpen completes at init time.
- Abend in iChainOACWorker due to NULL ServerReq->rbConnnection.
- Abend in client.c when using stale config data.
- Abend in RadiusLogin() when not enabling the optional LDAP password option.
- Fixed "Internal Consistency Error: CloseConnection connection won't finish" during a purge cache.
- Users must not be able to install NetWare Support Packs on iChain.
- Path-based rewriter problem with handling "../file" when you are at the root.
- iChain proxy was consuming large amounts of bandwidth to back end web servers in some instances.
- Problems with VerifyCertChain function. Updated NPKIT.NLM version 21.
- Alternate Host Name now gets rewritten to Accelerator's DNS name on a per-accelerator basis.
- ISO Object did not get cleared when doing 'Factory Settings'.
- Fixed DSOffset (Daylight Savings Time) so it has 1:00 per default.
- IBM X335 goes into BIOS when restarted after a shutdown.
- Added WAP Support.
- iPlanet had trouble with "persistent connections" enabled.
- .pdf would not open when /*.pdf in the pin list set to bypass.
- Fixed .pdf file read error: "File does not begin with '%PDF-'"
- Change help screens to default to English.
- Proxy needs to check with Sessionbroker on insufficient authentication.
- File Gadget was broken through Path based multi-homing: Could not create directories.
- Large files were not forwarded to browsers until completly in memory.
- Rewriter not handling "/" correctly in 302 redirect.
- Could not accelerate Web server on TCP port 2000.
- Fix garbage at bottom of screen on simple HTML logout page.
- Changed "button" to "Login" in simple HTML login pages.
- Need to rewrite path= on the SET COOKIE header.
- Fixed logout problem with no authentication enabled.
- Now unload NLSLSP and POLIMGR when cloning.
- Added load option for SSO.NLM to redirect debug output to the logger screen.
Syntax: LOAD SSO -d -l (-d enables debug; -l redirects output to logger screen).
- Introduced tag for enabling/disabling "value=" rewriting.
See current online documentation at http://www.novell.com/documentation/lg/ichain22/index.html for details.
Fixes/Enhancements in ic22fp1a.exe (Included in this Support Pack):
- Security Alert: DoS caused by buffer overflow abend running special script against login.
- Buffer overflow problem with large user name.
Fixes/Enhancements in ic22fp1.exe (Included in this Support Pack):
- Security Issues:
- For security reasons, NCPIP.NLM and JSTCP.NLM were renamed to NCPIP.OLD and JSTCP.OLD. NCPIP.NLM should never be loaded on a PUBLIC interface unless port 524 is blocked by a firewall, even if using the NCP exclude options. JSTCP.NLM posted a listener on port 6901 that is not needed by iChain.
- b. User could access a restricted/secure page without authenticating.
- ACLCHECK abend in validateCredential in case of referrals.
- Abend from iarredir sendredirect.
- Abend on %m string and debug trap on empty configuration.
- Abend in webcache (orphan).
- CDA abend on apply.
- Abend in Nile.
- Proxy abend "Proxy Internal Consistency Error" does not log passed parameters to abend.log.
- Nile abend caused by PROXY.NLM due to certificate mapping.
- Abend when use a incomplete Error login page.
- Abend when activating iChain and no protected resources have been defined.
- ICOG/VTABLE abend.
- Cookie time out in CDA case abends server.
- LDAP referrals are now supported.
- LDAP referral support for FormFill.
- Authentication fails if accelerator DNS name has ending backslash.
- Wrong logout message after authentication timeout has occurred.
- Cannot do mutual authentication on iChain 2.1 with eDir 8.7.
- Login loop with CDA and Mutual SSL fixed.
- Dotted names now work with iChain (ex: "cn=joe.cool,o=novell").
- Incorrect error code if ACLCHECK is not ready to receive request.
- ACLCHECK allows access with URL exceptions using a wildcard '?'.
- Japanese browsers unable to manage iChain 2.2 via GUI.
- Common logs reporting information with incorrect format.
- Console help added for ACLCHECK commands.
- Periodic (24hr) license check eliminated.
- More efficient handling of byte range requests
- Endless loop in client compression code.
- Performance improvement in dynamic groups processing.
- Cache control headers are no longer being sent with graphics, etc.
- VARY Header - level 2 support added.
- The management servlets have been upgraded to use the latest LDAP Java sdk. The old servlets are included for backward compatibility.
- CDA and iChainPasswordMgr should work for non domain-based accelerator.
- Updated NSSS.NLM and NSSLDP.NLM for FormFill SecretStore.
- FormFill buffer increased from 50K to 150K.
- FormFill will use credentials from a logged-out session.
- FormFill policy name cannot have '?'.
- FormFill should fill out the field even the field is hidden.
- FormFill abend due to PROXY.NLM passing an invalid (non-null) pointer.
- Timeout removed when no data is returned by Oacjava server.
- Proxy passing user DN instead of CN to back end Web server with OLAC enabled.
- OLAC sending information webserver cannot understand.
- OLAC doesn't remove duplicate header.
- OLAC doesn't strip off utf-8 encoded names from query string.
- OLAC doesn't populate auth header correctly when using double byte characters.
- OLAC with SecretStore can prevent user login if secret is deleted or changed.
- Support "USERVOL:" volume for custom login/logout pages.
- iChain FTP enhanced to include mkdir and rmdir and to support USERVOL.
- Extensive fixes have gone into both the Internal and Custom rewriter.
- Algorithm match-up between Custom rewriter and Internal rewriter.
- Path based multi-homed rewriter issue.
- Avoid potential overflows in the SendHeader function.
- URL parser fixed to normalize an URL (/../) issue.
- Mime type text/plain should not be rewritten.
- Add signature field to rewrite control state vector.
- [Mime Content-type] support fixed.
- Absolute relative location tags were not rewritten.
- Internal rewriter is dropping data. - Problems rewriting VALUE= that isn't a reference.
- Could not disable internal rewriter for more than one accelerator.
- Sections of source can be excluded from being rewritten using these tags:
- [Exclude] section can be added to the REWRITER.CFG file to exclude all content in directories/files from being rewritten. It supports URL syntax like protected resource tags, including wildcards. For example:
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com