IBM Traveler 9.0.1.12 released including a security fix
Daniel Nashed – 14 July 2016 07:45:20
IBM Traveler 9.0.1.12 shipped with some important changes. The first change is a security fix which is described below.
But there is another security fix in the installer on Windows as well and some other fixes that could be affecting you.
Upgraded my server already.
-- Daniel
Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039)
IBM Traveler is vulnerable to a denial of service caused by an XML External Entity Injection (XXE) error when processing XML data.
http://www.ibm.com/support/docview.wss?uid=swg21985858&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E
http://www.ibm.com/support/docview.wss?uid=swg21700212#90112
| APAR # | Abstract |
| LO87689 | Invitee status not updated on Mobile device when external invitee responds. |
| LO88807 | Add the immediately remove invitee from invite on mobile device may not remove the invitee. |
| LO88916 | Invitee status not updated on Outlook client when external invitee responds. |
| LO88950 | Event still appears ghosted on mobile device after process an info update from ghosted entry. |
| LO89057 | Upgrade install technology to prevent MS Windows DLL Loading vulnerability. |
| LO89097 | Traveler device may display EnterSendTo field if SendTo empty for non-draft message. |
| LO89287 | Warning message for NumberFormatException for empty string should be Info log message and not a warning. |
| LO89357 | Update to prevent XML External Entities Injection vulnerability. |
| LO89358 | Same full name contact could sync wrong contact photo. |
| LO89421 | Ghosted entry for non-repeating event Cancel notice may show additional options on mobile device. |
| LO89499 | APNS notifications for IBM Verse for iOS may be in English instead of device preferred language. |
| LO89501 | Attachments and in-line images missing content header may not sync to mobile device. |
| LO89540 | Traveler Utility application should warn if attempting to change the DB2 user name as this may change the schema name as well. |
| LO89543 | Prevent device from renaming folder to null string. |
| LO89544 | Accept reschedule of non-repeating event from ghosted entry on Apple iOS Calendar application may not take effect on server. |
- Comments [2]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}