IBM Traveler 9.0.1.12 released including a security fix
Daniel Nashed – 14 July 2016 07:45:20
IBM Traveler 9.0.1.12 shipped with some important changes. The first change is a security fix which is described below.
But there is another security fix in the installer on Windows as well and some other fixes that could be affecting you.
Upgraded my server already.
-- Daniel
Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039)
IBM Traveler is vulnerable to a denial of service caused by an XML External Entity Injection (XXE) error when processing XML data.
http://www.ibm.com/support/docview.wss?uid=swg21985858&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E
http://www.ibm.com/support/docview.wss?uid=swg21700212#90112
APAR # | Abstract |
LO87689 | Invitee status not updated on Mobile device when external invitee responds. |
LO88807 | Add the immediately remove invitee from invite on mobile device may not remove the invitee. |
LO88916 | Invitee status not updated on Outlook client when external invitee responds. |
LO88950 | Event still appears ghosted on mobile device after process an info update from ghosted entry. |
LO89057 | Upgrade install technology to prevent MS Windows DLL Loading vulnerability. |
LO89097 | Traveler device may display EnterSendTo field if SendTo empty for non-draft message. |
LO89287 | Warning message for NumberFormatException for empty string should be Info log message and not a warning. |
LO89357 | Update to prevent XML External Entities Injection vulnerability. |
LO89358 | Same full name contact could sync wrong contact photo. |
LO89421 | Ghosted entry for non-repeating event Cancel notice may show additional options on mobile device. |
LO89499 | APNS notifications for IBM Verse for iOS may be in English instead of device preferred language. |
LO89501 | Attachments and in-line images missing content header may not sync to mobile device. |
LO89540 | Traveler Utility application should warn if attempting to change the DB2 user name as this may change the schema name as well. |
LO89543 | Prevent device from renaming folder to null string. |
LO89544 | Accept reschedule of non-repeating event from ghosted entry on Apple iOS Calendar application may not take effect on server. |
- Comments [2]
1Uwe Sartorius 28.07.2016 9:56:13 IBM Traveler 9.0.1.12 released including a security fix
Hi Daniel,
after updating out Traveler servers to this release we facing the same bug as describend here:
{ Link }
Any others having the same issue right now?
Cheers
Uwe
2Uwe Sartorius 05.08.2016 8:24:11 IBM Traveler 9.0.1.12 released including a security fix
Hi Daniel!
LO89772: Multiple replies to chair for non-repeating meeting is fixed with 9.0.1.12 but we facing this issue since we updated to 9.0.1.12 :-)