Releases: OpenNTF/SocialSDK
1.1.12.20161007-1200
Upgrade to commons-fileupload-1.3.2.jar
1.1.11.20151208-1200
There are multiple themes for this build.
1 - Reduce Build Time [30 Minutes to 15 Minutes]
2 - Reduce Kit Size [160M to 40M]
3 - Code Cleanup
4 - Fixed/Updates
Reduce the Build Size and Build Time
Removed Source Zip Files from Build
Removed Tomcat from Build. If you want to setup your Tomcat environment, refer to the https://github.com/OpenNTF/SocialSDK/wiki/Building-your-first-social-enabled-jsp
Changed the Samples to build/test only. The Samples are no longer assembled and delivered. Results in a smaller download.
Code Cleanup - JavaDocs
Updated JavaDocs to support custom tags with the Maven Build ibm-api and method
Cleaned up the JavaDocs to remove warnings about improper @see @return @param
Projects which are updated include:
com.ibm.sbt.core
com.ibm.sbt.automation.core
bss.provisioning.sample.app
com.ibm.xsp.sbtsdk
com.ibm.sbt.opensocial.domino
com.ibm.xsp.sbtsdk.playground
com.ibm.sbt.automation.test
sbt.sample.app
Code Cleanup - General
Cleaned up the samples/config/sbt.properties (Removed DropBox/Twitter/References to LotusLive)
Removed MockService Logging for the initialize method
Updated CDNJS read me to describe the purpose of the folder
Fixed Issue with Line Feed Character
Fixed/Updated
Resolve retrieve tags on a user profile returns no tags at all #1719
Resolved Upload new version of community file does not work #1702
Fixed IE XPath detection #1727
Added Get reply count from getreply url (Rejected #1725 ) and provided getReplyCount from opensearch:totalResults in lieu of
Fixed Using getRemoteApplications( commUuid ) runs into an java.lang.OutOfMemoryError: Java heap space error #1728 and removed generated loop between two methods calling each other infinitely
Fixed Blog posts get comments does not work for on-prem Connections #1670
Fixed Issue with the proxy #1704
Implemented change OAuth2Handler bug with getAccessTokenForAuthorizedUsingPOST & double encoding #1597
Fixed Suggestion ProfileService.checkColleague should catch 404 error and return null #1579
Fixed issue with getCommunity not returning ClientServicesException testGetCommunityByInvalidId(com.ibm.sbt.services.client.connections.communities.CommunityServiceNoCommonCommunityTest)
Fixed issue with deleteWiki and deleteWikiPage - deleteWikiTest(com.ibm.sbt.services.client.connections.wikis.WikiCreateAndDeleteTest) and getAndDeleteWikiPageTest(com.ibm.sbt.services.client.connections.wikis.WikiPageTest)
Added isExternal is missing from Community Object (Java) #1637
Improved IE XPath detection #1727
Resolved Need method to get all invitations for a community #1549
Answered Create a stand-alone wiki => "Field permissions was not found or had no value" #1729
Added support for the AppKey Header to enable/add the following to your endpoint appKeyAPPKEYVALUE
Fixed Oauth credentials are not being persisted to the configured database #1478 fixed source class in OAuth2.0 Handler (for logging) and note the database change in OAuth handler may break databases that are created with earlier scripts
Added AbstractEndpoint - getSessionKey/setSessionKey to support api management endpoint session key
Added Generalized Support for Global Headers for A User Based Endpoint - #1720
Automated the Delivery of CDNJs Files based on -SNAPSHOT value / version
Changed the CodeLoad download for sources to only occur in the Deploy phase
Updated version of maven-javadoc-plugin
Updated the mixed legacy and amd loader issue in the ActivityStreamService utility code
Notes
As noted in #1547, when an AMD loader is used, there is an issue with rendering the Extensions. This is a known issue with no plans to fix.
As noted in #1504, WikiPage setContent and getContent does not support/retrieve the content for the WikiPage. it is working as designed, and you can get the linked content via the ATOM API.
As noted in #1537 InReplyTo object provides access to the Activity Comment feature.
As noted previously, Tomcat has been removed from the release.
1.1.10.20151002
updates to bss sample application
1.1.9.20150917
Fixes issue with XML.js where it doesn't find the right translation
1.1.8.20150911
Update to xml.js to support proper feature identification
1.1.7.20150908
Updates for XPath Engine check in JavaScript Binding
Updates to AccessToken to include Date/Time validation Checks from Original Acquisition
1.1.6.20150817
(1) - Update to localeUtil.js - removed trailing comma to ensure IE Compatibility
(2) - AddTagsWidget.js:205 - modified the error template to present a well formed message
(3) - Added <maven.javadoc.skip>true</maven.javadoc.skip> to library projects to skip javadoc plugin and for the tomcat assembly pom.xml
(4) - Fix MockServiceTransport.js which had an extra }); and an extra } on line 209 '[object HTMLScriptElement] InternalError: missing } after property list ('
(5) - Update Assembly pom.xml to include strict reference to context.xml which was missing from Apache Tomcat - context.xml and added overwrite="true"
(6) - Fix CommunityTest.java set to ignore as the backing mockdata does not exist
(7) - Reconcile the com.ibm.commons libraries version to 1.1.6.20150817-1200 - related to #1689
(8) - Fixed TabbedBaseView Warning
(9) - JavaScript - Fixed issue with Default endpoints overriding set endpoints in FileService and ProfileService (smartcloud)
(10) - Java - fix to forumservice for getTopics
IBM Social Business Toolkit - v1.1.5.20150520-1200
1.1.5 introduces an updated BSS Provisioning Application and fixes for samples.
IBM Social Business Toolkit - v1.1.4.20150504-1700
There are many updates in place in v1.1.4.20150504-1700 (1 security update)
The current snapshot is 1.1.5-SNAPSHOT
Items addressed:
Updated the RestClient to build the default context and resolve #1664
Updated the i18n bridge to work with the right language bindings #1662
Changes to the bss.provisioning.sample.app pom to avoid using shade and fix distribution build issues so it points to the right build.
Updated the SSO Sample Application to use the most recent Java APIs in the SDK. Changed the build numbers to sit builds within the current stream.
Update the pom.xml for com.ibm.sbt.proxy.web to fix issue with missing versions
Updated SearchService with URLParameter fixes and to enable multiple constraints
Addressed an open Security Bulletin with Apache Tomcat
TITLE: Security Bulletin: IBM Social Business Toolkit (CVE-2014-0230)
Abstract: Apache Tomcat is vulnerable to a denial of service, caused by an error when uploading files. An attacker could exploit this vulnerability to consume all available memory resources. Tomcat is packaged as demonstration and test web application
Content
VULNERABILITY DETAILS:
CVEID: CVE-2014-0230
DESCRIPTION:
Apache Tomcat is vulnerable to a denial of service, caused by an error when uploading files. An attacker could exploit this vulnerability to consume all available memory resources.
CVEID: CVE-2014-0230
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error when uploading files. An attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102131 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PRODUCTS AND VERSIONS:
IBM Social Business Toolkit SDK 1.1.3
REMEDIATION:
*Download and install the 1.1.4 version which includes Tomcat 7.0.61 at https://github.com/OpenNTF/SocialSDK/releases/tag/v1.1.4.20150504-1700
*
Workaround(s) & Mitigation(s):
Manually upgrade to Tomcat 7.0.61 or higher.
REFERENCES:
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
https://exchange.xforce.ibmcloud.com/vulnerabilities/102131
ACKNOWLEDGEMENT
None
CHANGE HISTORY
05 MAY 2015 Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
*_Note: *_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an ''''''''''''''''''''''''''''''''industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.'''''''''''''''''''''''''''''''' IBM PROVIDES THE CVSS SCORES ''''''''''''''''''''''''''''''''AS IS'''''''''''''''''''''''''''''''' WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
IBM Social Business Toolkit - v1.1.3.20150220
There are two security updates in the latest release:
Changed the Dojo Version to IBM Dojo Toolkit 1.8.9, and updated the builds to work with the new version
Due to the Dojo Security Advisory http://dojotoolkit.org/blog/dojo-security-advisory-2014-12-08
You can read more about it at
CVE-ID: CVE-2014-8917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8917
Description: Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Replaced Apache Tomcat with latest build for Apache Tomcat 7.0.59, and updated the builds to work with the new version
You can read more about it at
CVE-ID: CVE-2014-0227 - Apache Tomcat request smuggling
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Also, we have fixed:
fixed issues with test cases not providing right data
fixed the pom.xml for com.ibm.sbt.web to build with latestdojo
fixes the missing {connection} missing url part
changed the maven dependencies for the opensocial explorer project to use the default maven copy plugin
fixed the ActivityStreamService.js to use the proper url path
The Business Support Services Provisioning sample is not in the current build/release, and is to be included in a future build.
The current branch is 1.1.4-SNAPSHOT
The Maven Central sonatype version is 1.1.3.20150220-1200
As always, please use GitHub issues and StackOverflow for any release issues.
Details on Security
Title: Security Bulletin: IBM Social Business Toolkit - Apache Tomcat request smuggling (CVE-2014-0227)
Summary
The IBM Social Business Toolkit includes Apache Tomcat which is vulnerable to HTTP Request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Vulnerability Details
Title: Security Bulletin: IBM Social Business Toolkit - Apache Tomcat request smuggling (CVE-2014-0227)
Summary
The IBM Social Business Toolkit includes Apache Tomcat which is vulnerable to HTTP Request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Vulnerability Details
CVE ID: [CVE-2014-0227](http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2014-0227)
DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 4.300
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/100751 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
- IBM Social Business Toolkit 1.0.0 through 1.1.2
Remediation/Fixes
- Users may download the version of IBM Social Business Toolkit 1.1.3 or higher and use the Apache Tomcat which is included in the toolkit. There are directions available to install the upgraded instance at http://www-10.lotus.com/ldd/appdevwiki.nsf/xpDocViewer.xsp?lookupName=SDK+docs#action=openDocument&res_title=Installing_on_the_SDK_Tomcat_server_SDK1.0&content=sdkcontent
Workarounds and Mitigations
- Users may upgrade their Apache Tomcat instance to 7.0.59 or higher. The Apache Tomcat website includes directions at http://tomcat.apache.org/migration-7.html#Upgrading_7.0.x
- There is no known mitigation.
Reference
Related Information
IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
20 Feb 2015: Original Copy Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.