=========================================
= Changes between 8.1.634 and 8.1.653   =
=========================================

8.1.653 (8.1 patch 5) is an emergency patch release to close a critical
security vulnerability that affects server components. If you are running a 8.1
deployment, you need to upgrade immediately in order to close the
vulnerability.

CHANGES:

* Fixed security vulnerability in Web Reports and Server API.

(Agents, relays, servers, and consoles are not exposed to this vulnerability and 
are not being patched)

=======================================
= Changes between 8.1.617 and 8.1.634 =
=======================================

Client
-  Fixed an issue where Linux agents would crash when ssl enabled ldap password authentication is configured. (46817)
-  Fixed an issue with the Oracle Linux agent that would lead to the agent crashing during certain SSL operations. (46818)
-  Fixed an issue with the AIX agent that would lead to agent duplication when restarting the computer. (46822)
-  Fixed an issue with the Windows agents that would lead to MFE related errors in client log and corrupted state data being written to disk. (43543)
-  Fixed an issue with the Rhel5 x64 agent that would result in MFE FileIOError messages in the clinet log and the process leaking sockets. (46826)
-  The minimum value of _BESClient_Register_IntervalSeconds is 600 and should be reflected in documentation correctly now. (46212)
-  Fixed an issue where in certain rare network configurations, ICMP packets would not be sent from Windows 7 computers and cause automatic relay selection to fail.
-  Fixed an issue on Linux and Mac agents that could result in the agent hanging during action execution when performing file operations. (46835)

Server/Relay
-  Fixed an issue where removing a master operator would fail with error message "class X509VerifyError<10>". (46828)
-  Fixed an issue with the AIX relay which prevented it from being the child of another AIX relay. (46830)


=======================================
= Changes between 8.1.608 and 8.1.617 =
=======================================

Web Reports
- Fixed an issue to allow filtering of legacy reports (38642)
- Fixed an issue where loading reports could cause "Operation Aborted" in IE 7 (42636)
- Fixed a delay in loading filters for legacy reports (42806)
- Changed the behavior of the Web Reports "Filter by Author" interface to display only users who have visible reports (42868)

Console
- Fixed an issue where selecting the "Show this user only their own actions and action results (recommended)" setting for Master Operator permissions can cause improper actionsite creation (43509) 
- Fixed an issue where incomplete Console cache reloads could result in missing domains (42799)
- Fixed an issue where xml import/export of content caused the order of action links to be reversed (43138)
- Fixed an issue where site level relevance was excluded from subscription relevance if site subscriptions were changed on a cached console load (41542)

=======================================
= Changes between 8.1.551 and 8.1.608 =
=======================================

General
- Changed the AirGap Tool request file to be an XML formatted document to make it easier for users to look through or manually update. (41317)
- Added versioning information to the AirGap Tool binary. (38035)
- Changed the error message generated in the Fixlet Debugger when using Active Directory Inspectors to give a clear indication they don't have context to evaluate in the debugger. 

Server
- Fixed an issue with file move operations on the BES Server that would fail when the source and destination were on different volumes. This would only occur if users had manually moved parts of the BES Server to alternate drives. (41423)

Web Reports
- Improved performance of using Unmanaged Assets data. (41074)
- Improved performance of Filters that include large numbers of computer group clauses. (41755,42168)
- Fixed a crash issue that would occur when creating a computer filter using a string that isn't in the result set. (41412,41836)
- Fixed a database query issue that could lead to deadlocks being generated. (40912)
- Fixed a performance issue that would cause navigating between pages to be slow when using large numbers of filters. (41755)
- Fixed issues with saving and viewing Filters that contained large numbers of filter clauses. (42112)
- Fixed an issue with the Location column on the Active Directory Permissions management page not being rendered as html. (41870)
- Fixed an issue where closing a web browser during an expensive report operation could lead to Web Reports crashing. (41892)
- Resolved several potential XSS Vulnerability issues. (41651,41652,41689,41691,41759,,41760)
- Added back logging of usernames into the Web Reports Debug log. (41773)

Relay
- Fixed an issue with the Relay using too much CPU when using dynamic bandwidth throttling. (41095)
- Fixed an issue with the AIX Relay that would rarely cause crashes during certain network operations. (41578)
- Fixed an issue that would prevent 7.2 (and below) Relays from Gathering Fixlet Sites correctly from an 8.1.551 Relay or Server. (41821)

Console
- Fixed an issue with non-English installs that would lead to unhandled exceptions when using Action Settings in Fixlet messages.
- Fixed an issue with invalid signature errors being generated from use of custom mime fields. (42022)
- Fixed an issue with the Console freezing during resize operations when IE9 is installed. (38973)
- Fixed an issue where console users would be unable to login and receive a 'No Such SiteID' error message after unsubscribing from a Fixlet site. (39730)
- Fixed an issue with the Actions tab '% Complete' column displaying incorrect values for actions generated using the Server API. (40392)
- Fixed an issue with the sort order not working correctly on the 'Count' column for analyses. (40996)
- Fixed an issue where unmanaged assets would disappear for Non-master Operators every time the console is reloaded until a new scan is run. (41360)
- Fixed an issue where the site level relevance section would not be displayed when loading the BES Console from its cache file. (41542)
- Fixed an issue with custom dashboards that would allow ActiveX controls to run without prompting the user. (41756)
- Fixed an issue with Baselines that would allow them to run on locked computers if the Baseline was part of a custom Fixlet site. (41818)
- Fixed an issue where the Console could create invalidly signed Fixlet sites during action propagation if a rare Windows issue causes file size to be misreported. (41370)
- Fixed a display issue with Trend branded Consoles that would cause a red banner to be displayed on the action info dialog. (41909)

Client
- Fixed an issue with Unix and Linux agents that would cause the agent time tracking to temporarily be inaccurate every 49 days. (41337)
- Fixed an issue with the _BESClient_Inspector_DisableWMI client setting which caused it not to work. (40785)
- Fixed an issue that could lead to a buffer overflow on computers with over 32 network interface devices. (41796)
- Fixed an issue in the client reset operation that could lead to the agent temporarily reporting invalid data. (41988)
- Fixed an issue with the Solaris agent that would cause it to consume too much CPU under certain conditions. (38750)
- Fixed the agent uninstall to correctly remove the agent install receipt and all previous Mac Agent receipts. (41171)
- Client Inspector Changes:
	o Fixed an issue with the security object inspectors not returning incomplete information on the root folder. (41595)
    o Fixed an issue with the Active Directory Inspectors not working if pre-win2k compatibility mode was disabled on the AD server. (40715)
    o Active Directory Inspectors will no longer retry querying for information on users that don't exist. (40354)
    o Active Directory Inspectors will now detect joining and leaving domains faster. (40485,40488)
    o Fixed an issue with Active Directory Inspectors where in rare cases two users could have the same SID and cause inaccurate results. (40775)
    o Fixed the 'Sample times of groups' inspector for Active Directory to return the correct value instead of the epoch date. (41774)
    o Fixed an issue with Active Directory inspectors not recognizing Mobile Users on Mac OS. (40854)
    o Fixed an issue with the 'iokit registry' inspector that would cause a memory leak on the Mac Agent. (41128)


=======================================
= Changes between 8.1.535 and 8.1.551 =
=======================================

Web Reports
- Fixed an issue with roles filtered by Console user that would cause slowness when assigned to a Web Reports user (issue #40681)

Relay 
- Fixed an issue that would prevent total outbound throttling from capping at the maximum value in some situations (issue #40673)

Console
- Fixed an issue where live search of Action list for large deployments can be slow (issue #41017)
- Fixed an issue where the targeting relevance by retrieved property for existing sites, automatic groups and Fixlet objects incorrectly marks the property as being "old" (issue #41031)

Client
- Fixed an issue with the security description inspector (dacls) of x64-based objects returning errors (issue #40897)
- Fixed an issue with the security description inspector (dacls) leading to client crashes if no security descriptors exist on the object (issue #40899)
- Fixed an issue with the security description inspector (dacls) failing for certain types of access control entries (issue #41115)
- Fixed multiple issues that cause memory leaks in the client.  Affected Inspectors include 'current analysis', 'Fixlets/actions/relevant offer actions/entries of dacls/entries of sacls' of <site> objects, 'pending restart names', and 'upload progress of client' (issue #40911)


=======================================
= Changes between 8.0.627 and 8.1.535 =
=======================================
General
- Branding changes from BigFix to Tivoli Endpoint Manager throughout the product

Server
- Changed the data structure used to represent external Fixlet message definitions in the database, improves GatherDB import times and console load times
- Changed the download whitelist system to detect changes without restarting services
- Removed the NotifyClients.exe binary from the server installation
- Fixed an issue that would lead to a 'class FormatError' during actionsite propagation. (issue #40664)
- Fixed an issue with xml parsing that prevented the cache indirection feature from working
- Fixed an issue with authenticated proxy access for BES Gather not working unless the username and password being used were the same (issue #39427)
- Fixed an issue that prevented gather ping requests from being sent correctly (issue #39369)

Web Reports
- Added the ability to sort by multiple columns in Web Reports, enables hierarchical report construction
- Added Computer Group and Database column options
- Added ability for Web Reports users assigned with the view of a Console Operator to view that Console Operators Analyses (issue #8754)
- Changed the secure flag to be set for authentication cookies when using SSL mode
- Restored special character escaping to SOAP API query results, previous decoding results was leading to XML errors
- Removed the Set Global Property Columns link from Analysis reports which wasn't working
- Fixed an issue that would lead to NoSuchSite error messages (issue #40315)
- Fixed an issue where an error value from a multi-valued property would cause the printable and CSV data output to be wrong (issue #40236)
- Fixed an issue where column order would change between viewing the report and printing it
- Fixed an issue with logging capturing the active directory user password (issue #40036)
- Fixed an issue where column sorting might not work after clicking on the column header multiple times (issue #39867)
- Fixed an issue with sorting on computer count columns (issue #39572)
- Fixed an issue with the Relevance() function now working for custom reports (issue #39309)
- Fixed an issue with multi-byte characters when setting up email options on non-english installs (issue #39178)
- Fixed an issue with the Delete Private Reports option not working when removing users (issue #38921)
- Fixed an issue with Filter condition order changing on page refresh under certain conditions

Relay
- Added support for AIX 6.1
- Changed the behavior of the _EnterpriseServer_ClientRegister_DisableChildUDPMessages setting to not prevent sending UDP messages to the local client so that the Relay will stay responsive even if its children are not reachable
- Fixed an issue with the _BESRelay_UploadManager_BufferDirectory setting not working on Unix relays

Console
- Added the ability to import files into custom Fixlet sites and transmit the data to agents
- Added 'IPv6 Address' to the core properties
- Added Wizards and Dashboards nodes to the default site filters
- Added a right click option to create manual groups to the computer groups tab
- Fixed an issue that would generate an error when creating custom sites when using case-sensitive sql collations
- Fixed an issue where a non-master operator editing custom content would have the Group Membership incorrectly populated when editing Fixlet messages (issue #40762)
- Fixed a timing issue when uploading small files that would cause the upload not to progress
- Fixed multiple issues with lock icons in the the action lock constraints for Fixlet messages not working correctly (issues #40234, #39739, #39737)
- Fixed an issue that could lead to the console crashing when editing properties on non-english installs (issue #40064)
- Fixed an issue where creating automatic groups constrained by multi-values properties would not subscribe any computers (issue #40062)
- Fixed an issue where Baseline Component Applicability would be displayed as 'unknown' incorrectly (issue #39719)
- Fixed an issue importing .BES files with AnnounceOffer elements which would lead to XML parsing error messages
- Fixed an issue where mouse-over popup information would not be fully displayed when property results contain a tab character (issue #39305)
- Fixed an issue where tool tip text would not display correctly in the take action dialog with certain font sizes.
- Fixed issues with the console history not working correctly (issues #39145, #38579)
- Fixed a memory leak issue which occurs when evaluating session relevance inside of dashboards (issue #39142)
- Fixed an issue with computer subscription controls not being disabled for users without site write permissions
- Fixed an issue with filtering by Baselines not working correctly (issue #38881)
- Fixed an issue that would lead to the console crashing when using certain action lock constraints (issue #38856)
- Fixed an issue with console crashing when canceling operator assignment permissions
- Fixed an issue with sorting columns that contain version numbers
- Fixed an issue with documents closing when canceling remove
- Fixed an issue where the 'Discard changes' button on custom sites did not actually remove changes (issue #38047)
- Fixed an issue where adding special characters to a Baseline's component group name would be silently removed, special characters are now allowed
- Fixed an issue with the 'View Action Info' becoming blank when F5 is pressed

Client
- Added client support for the following platforms:
	o Debian 5.03
	o ESX 4.0
	o ESX 4.1
	o Ubuntu 8.04 LTS
	o Ubuntu 10.04 LTS
- New client inspectors added:
	o Added support for Active Directory inspectors on Windows and Mac agents to pull back computer and user group information of the local system
	o Added inspectors for x64 environment variables on Windows
	o Added active directory group and user user inspectors
	o Added a 'site' property for Fixlet messages
	o Added a 'current analysis' inspector that returns the Fixlet containing the property currently being evaluated
	o Added 'brand of client' inspector
	o Added 'driver service' and 'all services' inspectors which return information on drivers
- Existing client inspector updates:
	o Fixed plist file inspectors to handle <array> tags
	o Fixed the entries of DACLS inspector to include inherited ACLs
	o Fixed an issue with the swap inspector failing on some Linux systems (issue #39904)
	o Fixed an issue with the operating system inspector not detecting changes on unix/linux
	o Changed version comparisons on Unix to behave the same as windows for versions strings that contain only numerals
- Added a new setting to control the Active Directory cache refresh interval for the user information, _BESClient_Inspector_ActiveDirectory_UserRefresh_Seconds, with default to check only on user login
- Added retry logic for MFE errors encountered in critical client file and registry operations (issue #39251)
- Added log rotation behavior to the client profiler logs. Includes a new client setting to control the number of files to keep, _BESClient_Resource_TrackingMaxFiles, with a default of 10
- Changed the client CPU throttling to be unthrottled when initiating a system shutdown to help prevent delays between end users initiating the shutdown and the client requesting the system to shutdown (issue #38234)
- Changed the AIX installer not to attempt to start the agent immediately after fresh install since there is no masthead
- Changed the client log endings to match the appropriate platform so they may be viewed locally on Unix and Linux systems (issue #38783)
- Changed the wait time for force killing the Unix agents in the init.d script from 4 seconds to 120 seconds to give the agent more time to respond to the initial shutdown request (issue #18477)
- Improved log messages when using client tunneling to reflect the actual urls the client is accessing (issue #35037)
- Removed extraneous character being written to the end of the client profiler logs
- Fixed an issue where file move behavior when moving files across volumes was inconsistent on different platforms
- Fixed an issue that would lead to clients failing to gather the action site with error message 'Unhandled exception during final phase of gathering 19' (issue #20878)
- Fixed several issues with Power Management Inspectors on Mac agents that would lead to them reporting incorrect intervals and events (issues #39786, #38542)
- Fixed an issue in the Mac Installer that could lead to it failing to install on Mac 10.6 if previous versions had been installed
- Fixed an issue with the restart command on Macs that would prevent the system from restarting when using a time delay of 'now' or '0' (issue #37820)
- Fixed an issue where the Mac agent installer would not correctly handle clientsettings.cfg file that contained DOS line endings (issue #36748)
- Fixed an issue with Mac OS X 10.6 that prevented IPv6 communication from functioning correctly
- Fixed an issue with the 'Current User' inspector on Mac that would cause it to return errors
- Fixed an issue that would lead to the core dumps on AIX 5.1 (issue #40498)
- Fixed an issue in the AIX client init script that might cause it not to shutdown; also added a 'restart' command
- Fixed an issue with the AIX upgrade that would remove symlinks which had been setup for the agent and cause it not to work after upgrade (issue #37451)
- Fixed an issue in the AIX client's init.d script that would lead to error messages being displayed (issue #34181)

Client UI
- Added a new option to Offers in the BES Console take action dialog to 'Notify users of offer availability' that will trigger a single short lived balloon notification to be displayed to end users when the offer is first available for them (issue #15011)
- Changed the Mac Client UI to be driven through the Menu Extras interface instead of the Dock (issue #39449)
- Changed the technician tab to automatically close when the main dialog is closed
- Changed deadline time display to round to the nearest time interval (day or hour) when over one hour is left
- Changed ClientUI settings to be loaded dynamically without restarting the agent
- Removed interface for selecting snooze lengths when there is no snooze options available
- Fixed an issue in the Mac Client UI that caused it to display html tags in the interface
- Fixed an issue with the Mac Support Center UI on OS X 10.6.4 that would prevent users from changing the size of the window (issue #39012)
- Fixed multiple issues with the Mac Client UI where the main dialog would not correctly hide or unhide itself in response to running actions (issues #38282, #37776, #25579, #21859, #29106, #15655)
- Fixed an issue with keyboard shortcuts not working in the Mac Client UI
- Fixed an issue where new offer notifications would trigger again even though the Client UI was already open
- Fixed an issue with the _BESClient_Action Manager_InitialUITab setting not working on Mac

Installers
- Added support for localization to EULA displays
- Added Windows Firewall exceptions for Web Reports
- Added ability to retry for remote database installs after the initial connection attempt fails
- Added a command line option for Windows Agent installer to prevent the service from starting after install (STARTAGENTSERVICE)
- Added a check to prevent upgrading from versions less than 7.0 directly to 8.0 or later. Users must upgrade to 7.X first
- Added PropagateFiles.exe to the server installer, supports upgrades as well
- Changed the Windows Client service to have a delayed start. Added a command line option to control the behavior (DELAYAUTOSTART_AGENTSERVICE)
- Changed the Installation Generator to warn before removing itself when running the installer

Admin Tool
- Database logging mode set to simple transaction logging for new installs instead of full transaction logging
- Added localization support for the Advanced Masthead Parameters dialog
- Made all advanced deployment options case insensitive
- Fixed an issue that would prevent users list from being displayed on non-English installs
- Fixed issues with text overlapped during Non-English Evaluation install
- Fixed an issue where BESAdmin can't upgrade database when not on the root server computer
- Fixed issues that prevented installs and upgrades on case sensitive SQL collation installs

Removal Utility
- Added support for DSS SAM
- Changed error handling to continue removing components when removal failures are encountered
- Fixed an issue where the version would come back as 'unknown'

Fixlet Debugger
- Added the ability to evaluate relevance in the agent context by using the - client compliance API
- Added a 'Discard All' option when closing the Fixlet Debugger with multiple unsaved windows
- Added syntax highlighting for the 'it' keyword to match what is being referred to
- Fixed a crash issue with deeply nested if statements in action script

Dashboard API
- Added the ability to specify a computer id list for targeting to the ImportXML function
- Added 'preferred BES language' to the session relevance inspectors to return the current local the console is running in
- Fixed an issue with the ImportAction function not working when targeting by computer name