========================================= = Changes between 9.0.876 and 9.0.897.0 = ========================================= 9.0.897.0 (9.0 Patch 8) is a patch release to close security vulnerabilities. If you are running a 9.0 deployment, you need to upgrade in order to close the vulnerabilities. CHANGES: Security * Updated version of OpenSSL used by Platform to 0.9.8zg * Updated version of jQuery to 1.8.2 * Eliminated use of RC4 cipher to eliminate "Bar Mitzvah" vulnerability. * Changed use of frames to eliminate clickjacking vulnerability * REST API now sets HttpOnly on its cookies * Fixed security issue when debuglog is enabled in Web Reports (APAR IV74066) =========================================== = Changes between 9.0.853.0 and 9.0.876.0 = =========================================== 9.0.876 (9.0 patch 7) is a patch release to close security vulnerabilities and to fix a few general bugs. If you are running a 9.0 deployment, you need to upgrade in order to close the vulnerabilities and get the benefits of the bug fixes. CHANGES: Security * Updated version of OpenSSL used by Platform to 0.9.8zc. * Eliminated use of SSL 3.0 protocol in order to close "POODLE" vulnerability. Server * Fixed an issue with the authentication on proxy would fail using Domain user (issue #61846, APAR IV59779) * Fixed an issue when deleting a site or operator, the root server service would hang indefinitely (issue #64139) RESTAPI * Improved performance of some RESTAPI queries (issue #61409 APAR: IV54825) * Fixed an issue where using the RESTAPI to Delete Custom Sites would cause InvalidSubscription Exception (issue #63633 ) * Fixed an issue where Analysis Activation Request did not return activation ID (issue #65186) * Fixed an issue where Analysis activation and deactivation would fail for NMOs (issue #65199) * Reduced memory consumption by RESTAPI calls (issue #64472): * Relay Fixed an issue where Non-Windows relays would hang (issue #63244) ========================================= = Changes between 9.0.835 and 9.0.853 = ========================================= 9.0.853 (9.0 patch 6) is an emergency patch release to close a critical security vulnerability that affects server components. If you are running a 9.0 deployment, you need to upgrade immediately in order to close the vulnerability. CHANGES: Security * Fixed security vulnerability in Root Server, Web Reports, and Server API. Server * FillDB hanging due to corrupt client reports. (issue: 60936, APAR: IV54863) (Agents and relays are not exposed to this vulnerability and are not being patched) ============================================= = Changes between 9.0.787.0 and 9.0.835.0 = ============================================= Server * Red Hat: Fixed an issue that prevented the server from connecting to configured LDAP servers after the server had been upgraded (issue #59420) * Fixed a database deadlock that could cause a server hang (issue #59379, APAR: IV48102) * Fixed a FillDB hang caused by a corrupted MIME header (issue #61001, APAR: IV53613) * Fixed an issue where proxy settings could be lost on upgrade (issue #61010) * Added the ability to bypass a network proxy for certain destination addresses (issue #60381, APAR: IV53783) * Make HTTP connectTimeout configurable via a setting (issue #61199, APAR: IV53930) Agent * Windows 7 SP1: Fixed an agent crash on Windows 7 SP1 (issue #60959, APAR: IV53605) * Windows 8: Fixed an issue where clicking on notifications failed to launch the client ui (issue #56132) * Windows: Fixed a rare crash caused by calling a Windows API with possibly uninitialized memory (issue #59926) * Fixed an upgrade issue that could cause an agent to revert to an older masthead (issue #61122) * Fixed an issue that could cause the agent to fail to restart when enabling FIPS mode (issue #61025) Relay * Fixed an issue that could prevent a child relay from connecting to its parent after the parent enabled authentication (issue #61110) Console * Fixed an issue with displaying non-ASCII characters in the action status window (issue #60004, APAR: IV51381) * Fixed an issue where the "Device Type" for some Windows XP laptops would be incorrectly reported as "Desktop" (issue #59400, APAR: IV48085) * Fixed an issue where targeting by a list of computer names would generate an error if any of the names in the list were invalid (issue #60123, APAR: IV53850) Web Reports * Added a configuration option to specify a default "From:" address for emails sent from Web Reports. This option can be set in the registry (Windows) or config file (Linux) under \Enterprise Server\BESReports\EmailFromAddress (issue #60593, APAR: IV47644) * Fixed an issue with filtering actions by issuer (issue #58201, APAR: IV46683) * Fixed an issue where Web Reports could accept non-SSL connections on port 443 (issue #60908) * Fixed an issue preventing some LDAP users (those with null bytes in their GUIDs) from logging into Web Reports (issue #57751, APAR: IV53335) ============================================= = Changes between 9.0.785.0 and 9.0.787.0 = ============================================= Server * Fixed a vulnerability in LDAP and Active Directory authentication handling that could allow an attacker to impersonate any LDAP or AD-authenticated Console user (issue #59898) ============================================= = Changes between 9.0.777.0 and 9.0.785.0 = ============================================= Agent * Fixed issue with decryption of secure parameters in an Action (issue #59473) * Fixed issue with memory leak in WinRT inspector relevance (issue #59408) =========================================== = Changes between 9.0.649.0 and 9.0.777.0 = =========================================== Added Support * Added Agent support for OS X 10.9 Mavericks * Added Agent support for Debian 7 Wheezy Server (Linux) * Performance enhancements: removed suggested 10,000 agent limit * Fixed issue where Linux RootServer required manual DB2 installation (issue #56494) * Fixed issue where Linux RootServer required manual dependeny installation (issue #54795) * Fixed issue where Linux RootServer required manual firewall port forwarding (issue #54800) * Fixed issue to allow Kerberos authentication to Active Directory in Linux RootServer (issue #55668) * Fixed issue where Linux RootServer miscalculates SHA1 for uploads (issue #57648) Web Reports (Linux) * Fixed issue where Linux WebReports PDF feature required dependencies (issue #47985, APAR: IV18526) * Fixed missing inspectors in Linux Web Reports (issue #58086, #57276, #55363) RESTAPI * Fixed issue adding LDAP server (issue #55046) * Fixed issue updating site permission for a user or role (issue #55232) * Fixed issue creating a Role with an LDAP user group (issue #55233) * Fixed issue querying dashboard variable (issue #55483, #56970) * Fixed issue deleting a file from a custom Site (issue #55656) * Fixed issue querying actions with a Non-Master Operator (issue #56188) * Fixed issue using SourceFixlet field in Fixlet query (issue #56530) * Fixed issue importing Fixlet (issue #56576, #57195) * Fixed issue retrieving Fixlet ID (issue #56865) * Fixed issue creating LDAP Master Operator (issue #57312) * Fixed issue retrieving Subscription Mode in Site query (issue #55185) * Fixed issue querying LDAP Directory (issue #58885) * Fixed issue querying files from Site (issue #57370) Agent * Fixed issue causing ClientUI crash on Windows Server 2012 core installations (issue #57118, APAR: IV40661) * Fixed issue causing incorrect localized text in the ClientUI (issue #57563, #57564, APAR: IV43855) * Fixed issue causing incorrect results for Active Diretory inspectors (issue #55710, APAR: IV37312) * Fixed issue causing archive failures in the Agent (issue #57153, APAR: IV41587) * Fixed issue causing RedHat based machines to report incorrect operating system (issue #57941, APAR: IV43122) * Fixed issue running multiple Actions (issue #48917, APAR: IV36147) * Fixed issue with "bios" inspector on HP machines (issue #55440) * Fixed issue causing incorrect results for "cpupackage" inspector (issue #54316) * Fixed issue causing throttled CPU usage during Action processing (issue #57060) * Fixed issue causing incorrect logged on users in Mac Agent (issue #56760) * Added Windows 8.1/Server 2012 R2 support for "operating system" inspector (issue #58055) * Added Windows RT application inspector support (issue #54588) Console * Fixed issue where Console was timing out during upload (issue #58303) * Fixed a UI freeze when modifying actions (issue #57122) * Improved action list performance, especially when sorting by the "% Complete" column (issue #57282) Relay * Fixed issue where Relay is unresponsive during RegistrationList upgrade (issue #58548, APAR: IV45378) * Fixed issue where Relay posts incorrect Content-Type causing report send/receive failure (issue #58808) Server (Windows and Linux) * Fixed issue causing connection reset in an authenticated Proxy configuration (issue #57299, APAR: IV40450) * Fixed issue causing RootServer crash from a failed relevance requests (issue #58923, APAR: IV46722) * Fixed issue causing high memory usage during Wake-on-LAN notification forwarding on Relays (issue #59022, APAR: IV47174) * Fixed issue causing "InvalidTextEncoding" errors (issue #58256, APAR: IV47668) * Fixed issue with RootServer database deadlock before "SignedDataVerificationFailure" (issue #58712, #58296) * Fixed issue with new localized installation (issue #57267) * Fixed issue where starting 8.2 Patch 8 platform could not upgrade to any 9.0 platform (issue #58297) * Fixed issue where in a DSA environment, the primary server is unable to notify clients on the secondary server (issue #56081) * Improved performance when dealing with large numbers of action results, especially for non-master operators (issue #57116) * Limitation of 10000 clients for server Linux/DB2 was removed (issue #57905) Upgrade Fixlets * Unified Windows and Linux Server/Console/Client upgrade Fixlets (issue #57104) Web Reports (Windows and Linux) * Fixed issue causing incorrect results for "custom content flag" inspector in WebReports (issue #56552, APAR: IV39034) * Fixed issue where WebReports does a full refresh on background exception (issue #55760, APAR: IV45904) * Fixed issue where a forward-slash in the Organizational Unit (OU) could break Active Directory Web Reports authentication (issue #58824) =========================================== = Changes between 9.0.586.0 and 9.0.649.0 = =========================================== Server/Database * Fixed an issue where connecting to proxies using Windows authentication results in failure (APAR IV38401) * Fixed an issue related to multiple “NoMatchingRecipient” server errors after rotating a server signing key (APAR IV41860) * Fixed an issue where connecting through a proxy resulted in a “Send failed since rewinding of the data stream failed” error message (APAR IV39412) * Fixed an issue related to slow server performance after rotating a server signing key (APAR IV32825) * Fixed Windows session credential authentication for Active Directory environments with a different pre-Windows 2000 domain name * Fixed an issue where HTTP requests would fail when forced to do a data rewind * Fixed an issue related to "407 Proxy Authentication Required" errors * Fixed an issue where proxy settings set using the BESAdmin.exe tool do not work with proxies configured for NTLM or negotiate authentication Console * Fixed an issue where issuing computer management rights to operators can result in failure (APAR IV39522) * Fixed an issue where the Console does not set a timeout for server connections * Fixed an issue where server class Windows machines were reporting incorrectly as laptop for property "Device Type" * Eliminated unnecessary requests for DownloadStatus reports from the Console Web Reports * Fixed an issue where passwords can be written to the Web Reports debug log if they are included in the URL of the request Client * Fixed an issue where the client exits while trying to escalate privileges during process table enumeration (APAR IV38546) * Fixed an issue where clients fail to gather site files with the same modification time (APAR IV39404) * Improved client efficiency when dealing with rapid generation of sites * Improved client efficiency when dealing with mailbox site directory listing on client startup * Fixed an issue related to a client crash when using the socket inspector on Windows XP and Server 2003 for IPV6 sockets * Fixed an issue where the "archive now" command could cause a client crash under certain conditions (APAR IV42307) * Fixed an issue with the version inspector on the Mac client * Fixed an issue where "bit of " inspectors were improperly handling 0 and 1 bit numbers * Fixed an issue where "authenticating of current relay" relevance returns for non-Windows clients Relay * Added an exponential increase in wait time (up to a minute) for post actions if a 503 error is encountered to prevent filling up the relay buffer directory (APAR IV39735) * Fixed a potential relay crash issue when dynamic bandwidth throttling is enabled (APAR IV42298) * Fixed an issue where the relay does not pick up new parent settings during client registration under certain conditions * Fixed an issue where the relay fails to delete malformed reports on 500 errors or on relay exception * Fixed an issue where ForwardingBufferDir does not persist REST API * Fixed an issue where the REST API was unable to run session relevance queries on SSL-enabled Web Reports (APAR IV41164) PropagateFiles.exe * Fixed an issue where propagation fails with "HTTP Error 65" (APAR IV39404) Localization * Added Japanese translation fixes ========================================== = Changes between 8.2.1372 and 9.0.586.0 = ========================================== Major Features * Client Authentication: Added authentication of client reports and the additional security options to protect site data on internet-facing relays * Client Mailboxing: Added the ability to encrypt sensitive data sent to endpoints * Red Hat Enterprise Linux 6/DB2 10.1 Support: Added the ability to deploy the Endpoint Manager server on Red Hat Enterprise Linux 6 with DB2 10.1 database support. Note: It is recommended that deployments larger than 10,000 endpoints use the Windows Server at this time. * REST API: Combined the existing Server API and SOAP API functionality into a single HTTP-based interface to enable simpler and faster integration capabilities Server/Database * Added support for Windows Server 2012 * Added support for SQL Server 2012 * Added support for failover of downloads in DSA configurations Console * Added Windows session authentication for Console users * Added Dashboard API enhancements * Fixed issue where Baseline Actions/Multiple Action Groups have incorrect site-context (issue #44446) Web Reports * Enabled action filtering Client * Enhanced client support for the following platforms: * Windows 8 * Windows Server 2012 * Mac OS X 10.8 * Solaris 11 * Added client support for the following platforms: * Debian 6 * Ubuntu 12.04 LTS * Added support for transcoding between codepages that represent equivalent character sets (e.g. Shift-JIS and EUC-JP). Note: This does not constitute full Unicode support * Added client performance enhancements, particularly around handling large amounts of content * Added new inspectors: * SSID for WiFi inspector * SQLite inspectors * JSON inspectors * SHA-2 inspectors * TCP/UDP port inspectors (supported on Windows 7+, Windows Server 2008+) * Inspectors for tracking long Fixlet evaluation times * SHA-2 inspectors * Enhanced existing inspectors * CPU inspector updates and fixes * Floating point inspectors ported to all platforms * Removed agent support for the following platforms: * Windows 2000 * Mac OS X 10.4 * Solaris 8 * Red Hat Enterprise Linux 4 * VMWare ESX Server 3, 3.5 Relay * Added relay support for the following platforms: * Windows 8 * Windows Server 2012 * Solaris 11 * Removed relay support for the following platforms: * Windows 2000 * Red Hat Enterprise Linux 4