CM1 5.2.5 Release Notes

CM1 version 5.2.5 is now available to all customers. Please see the downloads page for access to this release, as well as reviewing the upgrade instructions prior to updating your system.  Including the features outlined in the  Release Preview blog post, this release includes the following: 

Improvements

  • Asset API now supports binary replace. Previously, in order to a replace on a binary asset using the API, it was necessary to perform a delete and then create a new copy. The API now fully supports replace so the item is updated, maintaining any managed links that point to it.
  • Upgrade DTS to Tomcat 7. This change is the first of a series of platform updates that Percussion are making to CM1 over the next few releases. CM1 will now benefit from the numerous security and performance updates included in Tomcat 7. Please see the change which addresses several security vulnerabilities (see below)
  • Support for File/Directory Exclusions to Publishing Copy Resources Task. The copy resources task occurs at the end of full and incremental publishes, moving items such as CSS, Themes and JavaScript from the CM1 server to the web server. It is now possible to filter out items from this task that you do not want copied over, such as backups, version history or specific folders. See the last section on configuring publishing for more information.
  • Ability to link Files from a Widget Builder Widget. When building a new Widget Builder widget, it is now possible to select "File" as an input type when adding a new field.
  • Application Startup time improved. The time taken for CM1 to initially start up has been decreased by around 1 minute, through improved management of the sequence of tasks that run when the service is started.

Customer Incidents

  • Publishing a page twice using publish now causes browser to freeze. If a page was published twice in quick succession, the application could become temporarily unresponsive. This has been resolved through implementation of more efficient database queries used with Publish Now.
  • Staging Publish Now is Incorrectly Publishing Web Resources. The Web Resources publishing task should only occur during Full or Incremental publishes but was being run when performing a Publish Now using a Staging server. This unnecessarily increased the time taken to publish individual items to Staging. The configuration has been updated and now behaves as Publish Now does for a regular Pub Server.
  • Publish Now actions resulting in Unpublish Now. Depending on how a site was named & configured, certain Publish Now actions were actually running the Unpublish Now edition. The way publishing editions are referenced has been updated to prevent this.
  • Firefox error with https on CM1. Upon upgrading to Firefox version 39, users were seeing the message: "SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake" See this link for details. The product has been update to explicitly disable the compromised cipher standards causing this error. 

Fixed Security Vulnerabilities

DTS

  • Moderate: Security Manager bypass CVE-2014-7810
  • Important: Request Smuggling CVE-2014-0227
  • Low: Denial of Service CVE-2014-0230
  • Low: Information Disclosure CVE-2014-0119
  • Important: Denial of Service CVE-2014-0075
  • Important: Information disclosure CVE-2014-0096
  • Important: Information disclosure CVE-2014-0099
  • Important: Denial of Service CVE-2014-0050
  • Important: Denial of service CVE-2013-4322
  • Low: Information disclosure CVE-2013-4590
  • Important: Information disclosure CVE-2013-4286
  • Moderate: Information disclosure CVE-2013-2071
  • Important: Remote Code Execution CVE-2013-4444
  • Important: Session fixation CVE-2013-2067
  • Important: Bypass of CSRF prevention filter CVE-2012-4431
  • Important: Denial of service CVE-2012-3544
  • Moderate: DIGEST authentication weakness CVE-2012-3439
  • Important: Bypass of security constraints CVE-2012-3546
  • Important: Denial of service CVE-2012-2733
  • Important: Denial of service CVE-2012-4534
  • Important: Denial of service CVE-2012-0022
  • Important: Information disclosure CVE-2011-3375
  • Low: Privilege Escalation CVE-2011-3376
  • Important: Authentication bypass and information disclosure CVE-2011-3190
  • Important: Information disclosure CVE-2011-2729
  • Low: Information disclosure CVE-2011-2526
  • Low: Information disclosure CVE-2011-2204
  • Low: Information disclosure CVE-2011-2481
  • Important: Security constraint bypass CVE-2011-1582
  • Important: Information disclosure CVE-2011-1475
  • Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184
  • Important: Security constraint bypass CVE-2011-1183
  • Important: Security constraint bypass CVE-2011-1088
  • Important: Remote Denial Of Service CVE-2011-0534
  • Low: Cross-site scripting CVE-2011-0013
  • Low: Cross-site scripting CVE-2010-4172
  • Low: SecurityManager file permission bypass CVE-2010-3718
  • Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227
  • Low: Denial Of Service CVE-2012-5568
  • Important: Remote Denial Of Service CVE-2010-4476
  • Moderate: TLS SSL Man In The Middle CVE-2009-3555
  • Important: Remote Memory Read CVE-2014-0160

CM1

  • Content Type Incorrectly Stated Vulnerability: Wrong Type & Encoding  - CMS-1095
  • XML Injection Vulnerability - CMS-1087
  • Session token in URL Vulnerability: Session token on URL - CMS-1089
  • Cross-site scripting (reflected) Vulnerability : Finder & Search Pagination - CMS-1090
  • Password field with autocomplete enabled Vulnerability: Login Page - CMS-1091
  • Path-relative style sheet import vulnerability - CMS-1092
  • Frameable response (potential Clickjacking) Vulnerability - CMS-1094

Configuration Notes

XML Injection Vulnerability - CMS-1087

A new server property was added to prevent stack traces from being returned to client browser that echo input data.

To re-enabled stack traces set: sendErrorStackToClient=true  in the rxconfig/Server/server.properties file.

Password field with autocomplete enabled Vulnerability: Login Page - CMS-1091

Auto-Complete in the Login form is a desired feature for the majority of customers.  For Customers that require Login Form Auto-Completion be disabled, the following Server property may be set to disable Auto Completion in the login form.

To disable Login Auto Completion set loginAutoComplete=off in the rxconfig/Server/server.properties file.

Known Issues

Widget Builder using reserved words cannot be updated. If a custom widget is using reserved words and the system is updated to 5.1, 5.2.1, or 5.2.5, the widgets are no longer editable. Reserved Words were originally allowed in CM1 but were restricted as of 5.1. If you are on a version earlier than 5.1, you should check that your custom widgets are not using Reserved Words. If you have already upgraded to 5.1 or later, please check you can update your custom widgets. Please contact Support if you are unable to edit any of your custom widgets. For a list of reserved words, see this page.

Issues connecting to DTS following upgrade.

1) After upgrading, some users have had an issue with DTS where port 8443 - used by CM1 to communicate with DTS during publishing - does not start correctly, causing publishing jobs to show as "Completed with Failures." 

To resolve this, find this file on your DTS installation:

<DTS_Root>/Deployment/Server/conf/server.xml

You can edit this file (first make a backup, just in case) and comment out line 22, which looks like this:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>

and change it to this:

<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/> -->

After this change, stop the DTS service, wait about a minute, then start the service again.

NOTE: You do not need to restart the CM1 service. After DTS starts up again, try publishing and see if it completes without failures.

2) Copies of CM1 that were originally installed with a version earlier than 4.0 may have issues connecting to the DTS upon upgrade. If this issue occurs, an update to certain Java files on the server can be completed with the assistance of the Support team.