Reflection for Secure IT Server for Windows 8.2 Service Pack 1 Update 1 (version 8.2.1100) released in November, 2017 and is available for new and maintained customers. This update addresses several security vulnerabilities, and includes several enhancements and software fixes.
This update includes the following security improvements and software fixes.
This update includes the following security improvements:
Upgraded SQLite3 with preprocessed source to version 3.20.1 to address this vulnerability:
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
This update addressed the security vulnerabilities described in the January 26, 2017 OpenSSL Security Advisory.
This update includes the following software improvements and fixes:
Added the following Permission setting to the rsshd_config.xml server configuration file that allows you to set read access permissions for a file when you download it to a Unix system.
<PermitUnixGroupOtherRead>true</PermitUnixGroupOtherRead>
When PermitUnixGroupOtherRead is set to true (as shown above), files downloaded to a Unix or Linux client have a 0644 permission value (Read/write for file Owner, Read for Group, and Read for Other). If a file with the same name already exists in the download directory, the existing access permissions on the replaced file are not changed.
To enable this feature, you’ll need to stop the server, manually edit the rsshd_config.xml file to change this setting value to true, and then restart the server. (By default this setting is set to false.)
NOTE:This setting is not propagated to the server rsshd_config.xml file until the administrator opens the configuration console and makes some sort of update (this can be just changing any property and then changing it back to the prior value), and then choosing File > Save Settings or clicking the Save Settings icon on the tool bar.
CAUTION: Enabling this setting (true) allows other users and groups read access to downloaded files. To secure sensitive data, this setting should not be changed from the default.
The Record passwords in the cache when users log in and Use cached passwords to give users access to domain resources settings are now independent of each other to provide greater flexibility. For example, you can now restrict client authentication to require public key only and at the same time allow only those accounts with passwords cached in the Credentials database to access domain resources.
With the Record passwords in the cache when users log in setting disabled and Use cached passwords to give users access to domain resources enabled, accounts that have passwords in the credential cache can connect to the server with public key only authentication and have access to domain resources. Users that connect that do not have passwords cached will no longer be prompted for their password.
NOTE:If Record passwords in the cache when users log in is disabled when a user’s password changes, this setting must be enabled to record the updated password the next time the user connects or the password must be updated manually in the server console.
Fixed a problem with the new Show owner and group in directory listings on network shares setting, added in version 8.2 SP1. This setting was not set consistently after an upgrade. The setting in a User Configuration was enabled while it was disabled in the Global, Client Host, and Group Configurations.
By default, the setting of the subconfiguration values now match those in the Global configuration. The default value is false (unchecked).
The value of the GetOwnerGroup attribute for each SFTP Directory also matches the value shown in the server console, the value held in the rsshd_config.xml file, and in the behavior of the server. And the asterisk displayed in the server console (the " * - Setting is no longer inherited" indicator) now displays properly as the Subconfigution settings are modified.
Before this fix, file names that contained certain special characters were modified during the file transfer.
NOTE:To enable the server to maintain file names that contain non-ascii characters, you must create the System environment variable RSSHUTF8 and set it to true.
For instructions that show how to install this update, see Installation in the Reflection for Secure IT Server for Windows User Guide.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.
Copyright © 2017 Attachmate Corporation, a Micro Focus company. All rights reserved.
The only warranties for this product and any associated updates or services are those that may be described in express warranty statements accompanying the product or in an applicable license agreement you have entered into. Nothing in this document should be construed as creating any warranty for a product, updates, or services. The information contained in this document is subject to change without notice and is provided “AS IS” without any express or implied warranties or conditions. Micro Focus shall not be liable for any technical or other errors or omissions in this document. Please see the product’s applicable end user license agreement for details regarding the license terms and conditions, warranties, and limitations of liability.Any links to third-party websites take you outside Micro Focus websites, and Micro Focus has no control over and is not responsible for information on third party sites.