Novell

This is Your Open EnterpriseTM

IDM User Application 301 Field Patch S

This document (5040000) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

FileProductStatusPatch
UA301R-Linux.tar.gzIdentity Manager 3.0.1ObsoleteIDM User Application 301 Field Patch R

patches that supersede this patch

This patch is not superseded by any other patches.

patch attributes

Security patch: Yes
Priority: Mandatory
Distribution Type: Public
http://download.novell.com/Download?buildid=REZalq9qBfY~

document

Revision: 3
Document ID: 5040000
Creation Date: 2008-12-17 09:00:53
Modified Date: 2008-12-17 11:14:41

abstract

Field Patch 301S for Identity Manager User Application 3.0.1

details

Overview: Field Patch 301S for User Application 3.0.1

System Requirements: Windows, SLES, or Solaris

Installation: This is explained in the README.1st and README files within the archive file

Outline of the Patch Installation Steps


1) Stop the Application Server

2) Make a back-up of the User Application war file and place it is a safe folder (outside of your install directory)

3) Extract the contents of the archive to your hard drive

4) Launch PatchUserApp (as the same user who installed the User Application. and make sure to use the correct installer)

4.a) On the second screen you will select the 'Choose' button, navigate, select patch file (For Example: UAPatch301A.zip), then press Open, and then press Next

4.b) On the third screen you will select the 'Choose' button, navigate to your install directory and select the install.properties file, then Press Open, and then press Next

4.c) Take the defaults on the reset of the screens


*If this installation of the User Application is the non-provisioning version, near the end of the Patch process, you will receive errors about not finding jar(s) Please press OK and let the patch install continue. This is expected behavior since you have the non-provisioning Install of the UA. We only create one version of the patch*

**If this installation of the User Application is on Windows, you will receive an informational warning at the end of the patch install that the "openwar" directory may not have been deleted and that you need to check. If the openwar directory (located in \idm\jboss\server\IDM\deploy directory for example) does exist, please delete as the informational warning outlines. **

5) Once the Patch installation has finished, complete the manual steps that are outlined in the README (They are located under "Special Instructions" for the bug that they apply to:

For Example:

**********************************************************
********************Special Instructions******************
**********************************************************

6) Once the above has been completed and the Application Server has been restarted or the war has been re-deployed, you can confirm the patch level. To accomplish this, login to the User Application and press the Help link in the Header you will see the information similar to the following at the bottom of the page:


Identity Manager version 3.0.1 Patch A


NOTE: The Patch level should match the version of the patch you just installed.


Uninstalling: This is explained in the README.1st within the archive file

Problems Resolved:

======================================================================
Patch 301A
======================================================================

*Bug 193713 - Adding certain attributes to the User Entity in the DAL
breaks Provision Flows

*Bug 182245 - Forgot password email is not correct if password contains
special characters (ñ)

*Bug 191934 - Long URL prevents org-chart from displaying properly in IE

======================================================================
Patch 301B
======================================================================

*Bug 195357 - DataItemException - Approval Flow fails to submit when
there is a carriage control line feed in a TextArea control

======================================================================
Patch 301C
======================================================================

*Bug 182391 - Multi Valued List control data does not get processed correctly by the User Application

======================================================================
Patch 301D
======================================================================

*Bug 191714 - WEB services end-points need to be open for normal users

======================================================================
Patch 301E
======================================================================

*Bug 203651 - A required dnslookup field that is not being enforced by
user application

======================================================================
Patch 301F
======================================================================

*Bug 202503 - User Defined question longer than 128 characters is not
saved

*Bug 171331 - user enters the UID in forgotten password process don't
give them the full context

*Bug 218883 - Unable to Modify Self in User Application 3.0.1

======================================================================
Patch 301G
======================================================================

*Bug 171330 - Forgotten password process if the user does not enter a
valid uid then given them a set of dummy questions

*Bug 224266 - Entity Activity does not create an entity if any of the
attributes are empty

*Bug 224069 - ENH: Make the ForgotPassword Portlet more secure when
entering a User ID

*Bug 224942 - Field Patch: Multiselect property is being ignored on
multivalued controls

======================================================================
Patch 301H
======================================================================

*Bug 228102 - Workflow fails when TextArea contains CR/LF

*Bug 202508 - User Defined question with an '&' causes problems

*Bug 201718 - Ampersand (&) in challenge reponse question or answer
causing NMAS error -1665

*Bug 232311 - Invalid timeout link in a provsiioning request definition
puts workflow engine in unworkable state

======================================================================
Patch 301I
======================================================================

*Bug 245893 - Localized Default Shared Page names are not saved
correctly in Oracle

======================================================================
Patch 301J
======================================================================

*Bug 231012 - The User Interface jsps always tries to resolve
the recipient as a UserDN

*Bug 207428 - IDMLogin throws exception with credentials in header

*Bug 251877 Forgot Password Portlet is still performing a Like Search
in User App 301

*Bug 246286 - Challenge Response flow breaks when a user selects
a certain sequence of key actions

*Bug 253641 - IDM 3.0.1 - Request & Approvals tab error:"Failed to process work entry list.provisioning system error: Entity not found

======================================================================
Patch 301K
======================================================================

*Bug 257556 - Unable to use ForgotPassword Portlet with FieldPatch 301J
with uid instead of cn as the login attribute

======================================================================
Patch 301L
======================================================================

*Bug 263363 - DN Maker Control does not work in Internet Explorer

*Bug 264069 - New: Directory layer does not cache user's groups at all

*Bug 246286 - Challenge Response flow breaks when a user selects a certain sequence of key actions

======================================================================
Patch 301M
======================================================================

*Bug 272746 - Server restart in clustered environment may result in
indeterminate state for running workflow processes

======================================================================
Patch 301N
======================================================================

*Bug 289742 Identity Injection fails if a pound (#) is in the password

======================================================================
Patch 301O
======================================================================

*Bug 293427 - handling of double quote character in workflow
parameters allows for code injection

======================================================================
Patch 301P
======================================================================

*Bug 300498 Password Portlets leaving connections open (IDM User App. 3. 01)


======================================================================
Patch 301Q
======================================================================

*Bug 296105 - backslash character is not properly (un)escaped

*Bug 328391 - Invalid Addressee or Retry Addressee causes
'java.lang.IllegalArgumentException' and any new flow will cail with 'Timer already cancelled'

======================================================================
Patch 301R
======================================================================

*Bug 400889 - 301 Patch: Persistent (stored) XSS vulnerabilities for input
fields

*Bug 400901 - 301 Patch: Potential XSS vulnerability in portal


*Bug 293427 - handling of double quote character in workflow
parameters allows for code injection

======================================================================
Patch 301P
======================================================================

*Bug 300498 Password Portlets leaving connections open (IDM User App. 3. 01)

======================================================================
Patch 301Q
======================================================================

*Bug 296105 - backslash character is not properly (un)escaped

*Bug 328391 - Invalid Addressee or Retry Addressee causes
'java.lang.IllegalArgumentException' and any new flow will cail with 'Timer already cancelled'

======================================================================
Patch 301R
======================================================================

*Bug 400889 - 301 Patch: Persistent (stored) XSS vulnerabilities for input
fields

*Bug 400901 - 301 Patch: Potential XSS vulnerability in portal

======================================================================
Patch 301S
======================================================================

*Bug 437699 - Field Patch (301): Potential XSS vulnerability in Page Navigation

*Bug 441795 - Field Patch (301): UA Driver fails to start on NetWare

======================================================================

Technical Support Information: If you experience any issues with this Patch, please open a Service Request with the IDM User Application Support Team

security fixes

There is the ability to Post scripts to a page navigation within the User Application
*Bug 437699 - Field Patch (301): Potential XSS vulnerability in Page Navigation

file contents

Files IncludedSizeDate
UA301S-Linux.tar.gz32.0 MB (33576690)2008-12-17 08:45:23
UA301S-Windows.zip24.7 MB (25983249)2008-12-17 08:45:56
readme_5040000.htmlN/A2008-12-17 11:14:42

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.