@prb112 prb112 released this Dec 8, 2015 · 11 commits to master since this release

Assets 4

There are multiple themes for this build.
1 - Reduce Build Time [30 Minutes to 15 Minutes]
2 - Reduce Kit Size [160M to 40M]
3 - Code Cleanup
4 - Fixed/Updates

Reduce the Build Size and Build Time

Removed Source Zip Files from Build
Removed Tomcat from Build. If you want to setup your Tomcat environment, refer to the https://github.com/OpenNTF/SocialSDK/wiki/Building-your-first-social-enabled-jsp
Changed the Samples to build/test only. The Samples are no longer assembled and delivered. Results in a smaller download.

Code Cleanup - JavaDocs

Updated JavaDocs to support custom tags with the Maven Build ibm-api and method
Cleaned up the JavaDocs to remove warnings about improper @see @return @param

Projects which are updated include:
com.ibm.sbt.core
com.ibm.sbt.automation.core
bss.provisioning.sample.app
com.ibm.xsp.sbtsdk
com.ibm.sbt.opensocial.domino
com.ibm.xsp.sbtsdk.playground
com.ibm.sbt.automation.test
sbt.sample.app

Code Cleanup - General

Cleaned up the samples/config/sbt.properties (Removed DropBox/Twitter/References to LotusLive)
Removed MockService Logging for the initialize method
Updated CDNJS read me to describe the purpose of the folder
Fixed Issue with Line Feed Character

Fixed/Updated

Resolve retrieve tags on a user profile returns no tags at all #1719
Resolved Upload new version of community file does not work #1702
Fixed IE XPath detection #1727
Added Get reply count from getreply url (Rejected #1725 ) and provided getReplyCount from opensearch:totalResults in lieu of
Fixed Using getRemoteApplications( commUuid ) runs into an java.lang.OutOfMemoryError: Java heap space error #1728 and removed generated loop between two methods calling each other infinitely
Fixed Blog posts get comments does not work for on-prem Connections #1670
Fixed Issue with the proxy #1704
Implemented change OAuth2Handler bug with getAccessTokenForAuthorizedUsingPOST & double encoding #1597
Fixed Suggestion ProfileService.checkColleague should catch 404 error and return null #1579
Fixed issue with getCommunity not returning ClientServicesException testGetCommunityByInvalidId(com.ibm.sbt.services.client.connections.communities.CommunityServiceNoCommonCommunityTest)
Fixed issue with deleteWiki and deleteWikiPage - deleteWikiTest(com.ibm.sbt.services.client.connections.wikis.WikiCreateAndDeleteTest) and getAndDeleteWikiPageTest(com.ibm.sbt.services.client.connections.wikis.WikiPageTest)
Added isExternal is missing from Community Object (Java) #1637
Improved IE XPath detection #1727
Resolved Need method to get all invitations for a community #1549
Answered Create a stand-alone wiki => "Field permissions was not found or had no value" #1729
Added support for the AppKey Header to enable/add the following to your endpoint appKeyAPPKEYVALUE
Fixed Oauth credentials are not being persisted to the configured database #1478 fixed source class in OAuth2.0 Handler (for logging) and note the database change in OAuth handler may break databases that are created with earlier scripts
Added AbstractEndpoint - getSessionKey/setSessionKey to support api management endpoint session key
Added Generalized Support for Global Headers for A User Based Endpoint - #1720
Automated the Delivery of CDNJs Files based on -SNAPSHOT value / version
Changed the CodeLoad download for sources to only occur in the Deploy phase
Updated version of maven-javadoc-plugin
Updated the mixed legacy and amd loader issue in the ActivityStreamService utility code

Notes

As noted in #1547, when an AMD loader is used, there is an issue with rendering the Extensions. This is a known issue with no plans to fix.
As noted in #1504, WikiPage setContent and getContent does not support/retrieve the content for the WikiPage. it is working as designed, and you can get the linked content via the ATOM API.
As noted in #1537 InReplyTo object provides access to the Activity Comment feature.
As noted previously, Tomcat has been removed from the release.

@prb112 prb112 released this Oct 2, 2015 · 74 commits to master since this release

Assets 2

updates to bss sample application

@prb112 prb112 released this Sep 8, 2015 · 96 commits to master since this release

Assets 4

Updates for XPath Engine check in JavaScript Binding
Updates to AccessToken to include Date/Time validation Checks from Original Acquisition

@prb112 prb112 released this Aug 18, 2015 · 121 commits to master since this release

Assets 4

(1) - Update to localeUtil.js - removed trailing comma to ensure IE Compatibility
(2) - AddTagsWidget.js:205 - modified the error template to present a well formed message
(3) - Added <maven.javadoc.skip>true</maven.javadoc.skip> to library projects to skip javadoc plugin and for the tomcat assembly pom.xml
(4) - Fix MockServiceTransport.js which had an extra }); and an extra } on line 209 '[object HTMLScriptElement] InternalError: missing } after property list ('
(5) - Update Assembly pom.xml to include strict reference to context.xml which was missing from Apache Tomcat - context.xml and added overwrite="true"
(6) - Fix CommunityTest.java set to ignore as the backing mockdata does not exist
(7) - Reconcile the com.ibm.commons libraries version to 1.1.6.20150817-1200 - related to #1689
(8) - Fixed TabbedBaseView Warning
(9) - JavaScript - Fixed issue with Default endpoints overriding set endpoints in FileService and ProfileService (smartcloud)
(10) - Java - fix to forumservice for getTopics

Assets 4

There are many updates in place in v1.1.4.20150504-1700 (1 security update)
The current snapshot is 1.1.5-SNAPSHOT

Items addressed:
Updated the RestClient to build the default context and resolve #1664

Updated the i18n bridge to work with the right language bindings #1662

Changes to the bss.provisioning.sample.app pom to avoid using shade and fix distribution build issues so it points to the right build.

Updated the SSO Sample Application to use the most recent Java APIs in the SDK. Changed the build numbers to sit builds within the current stream.

Update the pom.xml for com.ibm.sbt.proxy.web to fix issue with missing versions

Updated SearchService with URLParameter fixes and to enable multiple constraints

Addressed an open Security Bulletin with Apache Tomcat

TITLE: Security Bulletin: IBM Social Business Toolkit (CVE-2014-0230)

Abstract: Apache Tomcat is vulnerable to a denial of service, caused by an error when uploading files. An attacker could exploit this vulnerability to consume all available memory resources. Tomcat is packaged as demonstration and test web application

Content

VULNERABILITY DETAILS:

CVEID: CVE-2014-0230

DESCRIPTION:

Apache Tomcat is vulnerable to a denial of service, caused by an error when uploading files. An attacker could exploit this vulnerability to consume all available memory resources.

CVEID: CVE-2014-0230
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error when uploading files. An attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102131 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
IBM Social Business Toolkit SDK 1.1.3

REMEDIATION:

*Download and install the 1.1.4 version which includes Tomcat 7.0.61 at https://github.com/OpenNTF/SocialSDK/releases/tag/v1.1.4.20150504-1700
*


Workaround(s) & Mitigation(s):

Manually upgrade to Tomcat 7.0.61 or higher.

REFERENCES:

RELATED INFORMATION:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

https://exchange.xforce.ibmcloud.com/vulnerabilities/102131

ACKNOWLEDGEMENT

None

CHANGE HISTORY

05 MAY 2015 Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

*_Note: *_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an ''''''''''''''''''''''''''''''''industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.'''''''''''''''''''''''''''''''' IBM PROVIDES THE CVSS SCORES ''''''''''''''''''''''''''''''''AS IS'''''''''''''''''''''''''''''''' WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

@prb112 prb112 released this Feb 21, 2015 · 222 commits to master since this release

Assets 4

There are two security updates in the latest release:
Changed the Dojo Version to IBM Dojo Toolkit 1.8.9, and updated the builds to work with the new version
Due to the Dojo Security Advisory http://dojotoolkit.org/blog/dojo-security-advisory-2014-12-08
You can read more about it at
CVE-ID: CVE-2014-8917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8917
Description: Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Replaced Apache Tomcat with latest build for Apache Tomcat 7.0.59, and updated the builds to work with the new version
You can read more about it at
CVE-ID: CVE-2014-0227 - Apache Tomcat request smuggling
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227
Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Also, we have fixed:
fixed issues with test cases not providing right data
fixed the pom.xml for com.ibm.sbt.web to build with latestdojo
fixes the missing {connection} missing url part
changed the maven dependencies for the opensocial explorer project to use the default maven copy plugin
fixed the ActivityStreamService.js to use the proper url path

The Business Support Services Provisioning sample is not in the current build/release, and is to be included in a future build.

The current branch is 1.1.4-SNAPSHOT
The Maven Central sonatype version is 1.1.3.20150220-1200

As always, please use GitHub issues and StackOverflow for any release issues.

Details on Security
Title: Security Bulletin: IBM Social Business Toolkit - Apache Tomcat request smuggling (CVE-2014-0227)
Summary
The IBM Social Business Toolkit includes Apache Tomcat which is vulnerable to HTTP Request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Vulnerability Details
Title: Security Bulletin: IBM Social Business Toolkit - Apache Tomcat request smuggling (CVE-2014-0227)

Summary

The IBM Social Business Toolkit includes Apache Tomcat which is vulnerable to HTTP Request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Vulnerability Details

CVE ID: [CVE-2014-0227](http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2014-0227)

DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

CVSS Base Score: 4.300
CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/100751 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

  • IBM Social Business Toolkit 1.0.0 through 1.1.2

Remediation/Fixes

Workarounds and Mitigations

Reference

Related Information

IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

20 Feb 2015: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.