fighting for truth, justice, and a kick-butt lotus notes experience.

 
alt

Detlev Poettgen

 

New POODLE update for IBM Mobile Connect

 17 Dezember 2014 21:21:15
Yesterday IBM published a new Interims Fix for IBM Mobile Connect for 6.1.5.2 and for 6.1.5.1, too.
Beside other Fixes there is an important update to get safe for the latest POODLE variation.

Details about the new POODLE variation can be found here:

German: http://www.heise.de/newsticker/meldung/Poodle-beisst-Load-Balancer-Lueckenhafte-Internet-Verschluesselung-mit-TLS-SSL-2482929.html
English: https://www.imperialviolet.org/2014/12/08/poodleagain.html


This is the Fixlist for 6.1.5.2:

IV66937
Connections via a browser redirected to wrong host when connections server sends a META refresh.
20141120
IV67055
Sametime mobile authentication fails when using LTPA and alternate authentication methods such as RADIUS and Certificate authentication.
20141120
IV67169
URL rewriting is not matching DOMAIN rules.
20141125
IV67689
Certificate authentication, LTPA token expiration no always verified when loading session from the AST. Expired tokens may get sent to server and client.
20141211
IV67722
Gatway restarts regularly on Windows if Remove Users After Period Of Inactivity is enabled.
20141211
IV67750
Gatekeeper SSL connection is vulnerable to POODLE SSLv3 when SSL connections are required.
20141211
IV67792
TLS PADDING VULNERABILITY, CVE-2014-8730
20141211
IV66935
Connections widgets do not display properly when using a browser to access a connections server.
20141215
IV67873
HTTP service redirect ports not working in 6.1.5.2
20141215
IV67878
Sametime mobile users may fail to login when using LTPA for SSO with the Sametime proxy.
20141215


Get the downloads via Fix Central: here

    IBM Domino 9.0.1 FP2 IF2 - Fixlist

     15 Dezember 2014 09:04:37
    IBM released on Friday a new Interims Fix for 9.0.1 FP2, which is called 9.0.1 FP2 IF2.

    This is included:
    SPR
    Description
    Fix introduced
    in release
    RGAU8XFMDN Date And Time Fields Behaves Unnormal With Dates Within Certain Time Periods
    Fixes to SPR #WWAG9Q64YW and #RGAU8XFMDN is disabled by default.  For the fix to be enabled, you will need INI setting OS_SUPPORT_PASTDST=1  (Technote 1692656) & (Technote1692718)
    9.0.1 Fix Pack 2
    Interim Fix 2

    W32 & W64 Only
    WWAG9Q64YW Calendar entry shows one hour off after Jan 7, 2015 after Russian DST hotfix is installed
    Fixes to SPR #WWAG9Q64YW and #RGAU8XFMDN is disabled by default.  For the fix to be enabled, you will need INI setting OS_SUPPORT_PASTDST=1  (Technote 1692656) & (Technote1692718)




    POODLE reloaded and there will be Fix for it

     12 Dezember 2014 09:26:17
    Because there are some discussions in the Blog-o-Sphere about the poor SSL implementation in Domino, I would like to share the following regarding the new variation of the POODLE attack.

    Details about the new POODLE variation can be found here:

    German: http://www.heise.de/newsticker/meldung/Poodle-beisst-Load-Balancer-Lueckenhafte-Internet-Verschluesselung-mit-TLS-SSL-2482929.html
    English: https://www.imperialviolet.org/2014/12/08/poodleagain.html

    Yes, I agree IBM had slept for more then ten years to keep the SSL/TLS stuff up to date, but I can only tell you:

    IBM is aware of this bad situation and they are heavily working on it to get it fixed.


    via Twitter:

    Image:POODLE reloaded and there will be Fix for it

    Just cann't say more at the moment, but just wait...


    Firefox deaktiviert ab 25.11. mit Version 34 SSLv3 - Handeln Sie jetzt

     23 November 2014 13:23:27
    Handeln Sie jetzt und stellen Sie sicher, dass Ihre HTTPS geschützten Webseiten wie iNotes, XPages oder sonstige beliebige Domino basierte Webseiten auch noch nach dem 25.11.2014 funktionieren!

    Die meisten Domino Server verwenden zur sicheren Kommunikation per Browser ausschließlich das mehr als 18 Jahre alte SSL v3 Protokoll, dessen Verschlüsselung inzwischen gebrochen wurde und damit als unsicher gilt. Besser und sicherer ist die Verwendung von TLS ab einschließlich der Version 1.0.

    Durch eine seit Sommer bekannte „Man in the Middle“-Attacke (POODLE “Padding Oracle On Downgraded Legacy Encryption”), ist es möglich für TLS geschützt Verbindungen eine Herabstufung (Fallback) auf  den unsicheren SSLv3 zu erreichen und somit die SSL Kommunikation mitzulesen.

    Solange Ihr Webserver TLS und SSLv3 unterstützt und das sogenannte Fallback via SCSV unterstützt, muss Ihre per SSL geschützte Kommunikation als unsicher angesehen werden.
    Die Browserhersteller (Google Chrome & Firefox) wollen daher sicherstellen, das trotz aktiviertem TLS kein Fallback auf SSLv3 mehr erfolgen kann und planen SSLv3 zeitnah zu deaktivieren, so dass nur noch das sichere TLS Protokoll verwendet werden kann.

    Am 25.11.2014 wird Firefox wird mit Version 34 per Default SSLv3 deaktivieren!

    Details hier: blog.mozilla.org

    Google plant mit Chrome 40 (akt. Release-Termin Ende Dez.14 / Anfang Jan.15) ebenfalls SSLv3 zu deaktivieren!
    Mit Chrome 39 werden Seiten die SSLv3 verwenden eine gelbe Warnmeldung anzeigen. Wir erwarten, dass auch Microsoft und Apple zeitnah auf die Situation reagieren werden.

    Domino unterstützte bisher kein TLS und konnte zur geschützten SSL Kommunikation lediglich den "unsicheren" SSL v3 Standard verwenden.  Was bedeutet das für Sie?  

    Ab Dienstag dem 25.11.2014 werden Firefox Benutzer keine SSL geschützten Verbindungen mehr zu Ihrem Domino HTTP Server aufbauen können.
    Dies betrifft iNotes und beliebige andere Domino basierte Webseiten, die per SSL geschützt sind und zur SSL Verschlüsselung der Domino HTTP-Task verwendet wird.


    IBM war daher gezwungen kurzfristig ein Interim Fix (Details hier: fixes-for-ibm-notes-and-domino-regarding-poodle-and-sha-2-available.htm) bereitzustellen, welches TLSv1.0 Support endlich auch unter Domino zur Verfügung stellt.
    Das Interim Fix ist verfügbar für alle unterstützten Domino Plattformen und umfasst folgende Versionen 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5).

    Neben TLSv1.0 bringt das Security Fix auch die längst fällige Unterstützung für den SHA-2 Zertifikats-Standard (ab Domino Version 9.0.x) mit. Bisher unterstützte Domino auch hier nur den inzwischen als unsicher geltenden fast 20 Jahre alten SHA-1 Standard.
    SSL-Zertifikate, die noch mit dem Hash-Algorithmus SHA-1 signiert wurden, werden künftig von Betriebssystemen und Webbrowsern als nicht mehr sicher eingestuft bzw. Zertifikatsanbieter stellen nur noch SHA-2 Zertifikate neu aus.
    Wir empfehlen, ab sofort für neue und zu verlängernde Zertifikate nur noch SHA-2 zu verwenden und somit Ihre Domino HTTP Server mit dem Domino Security Fix zu versehen. Sind Ihre bereits vorhandenen Zertifikate länger als 2015 gültig, ist ein Tausch gegen SHA-2 Zertifikate ratsam.

    Auf diesem Weg möchten wir Sie auch darauf hinweisen, das für Traveler ein neues Interim Fix 9.0.1 IF7  (Details hier: new-interims-fix-9.0.1-if7-for-ibm-notes-traveler-available.htm) verfügbar ist, welches das in Bezug auf die Anhangs-Verarbeitung Fehlerbehaftete IF6 ersetzt.
    Wir raten hier zu einem zeitnahen Update Ihrer Traveler Server.

    Wir unterstützen Sie gerne bei der Beantwortung Ihrer Fragen rund um Poodle, SHA-2 und Traveler Supportthemen und unterstützen Sie gerne bei der SHA-2  Zertifikatserstellung oder dem Update Ihrer Systeme.

    Nehmen Sie einfach hier mit uns Kontakt auf.

    Apple Device Enrollment Program DEP now available in Germany

     12 November 2014 10:17:17
    A great news for Apple Enterprise customers in Germany and Switzerland!

    Image:Apple Device Enrollment Program DEP now available in Germany



    As part of ADP (Apple Deployment Program) for business and education, DEP (Device Enrollment Program) streamlines mass iOS and OS X device deployments for IT staff and end users, readying the hardware for centralized setup and mobile device management (MDM) automatically. For example, DEP can be used to create multiple administration accounts, configure MDM servers for device handling and assign user profiles out of the box. One tentpole feature is "zero-touch configuration," which immediately configures account settings, apps, settings and more when a user first activates their device.  

    In addition to third-party purchase support, DEP is now available in Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, UK, and the U.S.


    More information about DEP and how to setup your account can be done here:

    http://www.apple.com/business/dep/

    New Interims Fix 9.0.1 IF7 for IBM Notes Traveler available

     7 November 2014 17:03:59
    Admins start your engines: IBM released tonight a new Interims Fix for IBM Notes Traveler. Please update as soon as possible to this new release, because the last two Interim Fixes 5 & 6 for 9.0.1 were no good ones.

    The new Interims Fix will fix the attachment handling issues introduced with IF5 & IF6. More details can be found here.

    9.0.1 IF7 includes this Fixes:
    APAR # Component Abstract
    LO81598 Server Silent install error if trying to set External URL on Linux.
    LO81918 Server Slow native memory leak in Traveler server.
    LO81954 Server Signed Phone Message document may not sync to mobile device.
    LO81960 Server Traveler auto log feature may generate lots of SystemDump files during a database outage scenario.
    LO81985 Android Attachment download fails on Android device if file name contains white space characters.
    LO82032 Server User may see duplicate calendar events when user does not have delete access to own mail db.
    LO82084 Server Traveler Bind debug command may not be persist after restart of the server.
    LO82085 Server Unable to sync attachments with plus sign in file name.
    LO82103 Server Refresh Traveler server translation for messages sent to mobile device.
    LO82109 Server iOS8: Unable to delete some instances of repeating even from mobile device.
    LO82133 Server Unable to sync folder that has underscore character in the folder name.
    LO82136 Server Error syncing attachments: Entry not found in index.
    LO82137 Server Apple Push Notification Services (APNS) Certificates may show as expired.
    LO82150 Android Unable to register device if server is slow to respond to registration request.
    LO82183 Server iOS8: Out of Office reply message may not be saved.
    LO82214 Server Red server status message for long running DS thread for when the thread is idle.
    LO82233 Android Some attachments can not be viewed or shared on Android device.
    LO82251 Server Allow NTTrack field to store entire device ID if desired.
    LO82282 Server Unable to forward some attachments from mobile device.
    LO82292 Server Room information may disappear from device Calendar when updating a repeating event from mobile device.
    LO82366 Server Traveler Web Administration application may fail to load after upgrading Domino server.
    LO82399 Server Update notice sent from device may show as an update request in Notes client.
    LO82405 Server Some attachments can not be sync'd to mobile device.
    LO82411 Server Work around for Calendar notice that continue reports as updated.
    LO82423 Server Use TLS instead of SSLv3 for server to server communication.
    LO82432 Server Android client could get stuck in banned state when trying to register.
    LO82553 Server Draft or Sent item with exclude from view tag does not sync to mobile device.
    LO82635 Android Warn user when connecting over unsecured protocol and require manual step to enable.





    Following IFs are available: 8.5.3 UP2 IF8, 9.0.0.x IF8 and 9.0.1 IF7

    The downloads can be found here.

    Fixes for IBM Notes and Domino regarding POODLE and SHA-2 available

     4 November 2014 09:20:14
    IBM has released interim fixes for IBM Notes and Domino 8.5.x and for 9.0.x tonight that address the POODLE SSL3/TLS1.0 and SHA-2 issues.

    The fixes are available for all supported platforms and releases (9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5).
    But you should be aware that SHA-2 support is only available for Domino 9.0.x.  

    You can find the common description here which include reference links for the downloads.
    http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

    This document describes the usage of the keyring file in that context.
    http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring

    Looking for further information? Go here.
    http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=SHA-2
    http://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=TLS

    If you are using SSL on your servers the installation is recommended! But I would wait to install it on production systems for a few days, after we all will have received some feedbacks. It it not always good to be the first one ;-)

    Thanks to IBM and specially to Dave Kern,  who did a great job in a very short time!
    The security team at IBM had been already working on TLS and SHA-2 support before POODLE came up, but had to change their plans (which was 9.0.2 as the target release), because of the short term move to diable SSL 3.0 in browsers and other software.

    Dave, thank you very much to make this possible!

    PS: Hope TLS v1.2 will be available soon, too.

    Update:

    Added Download Links:

    8.5.3:   http://www-01.ibm.com/support/docview.wss?uid=swg21663874
    9.0.1:  http://www.ibm.com/support/docview.wss?uid=swg21657963

    IBM Mobile Connect - New Interims Fix available to get POODLE safe

     25 Oktober 2014 11:44:26
    Today IBM released a new IBM Mobile Connect Fix. You should install this fix to get "POODLE safe".

    With this fix the external facing connections will have SSLv3 disabled by default. The internal connections (from IMC to back-end) can still use SSL 3, so that your internal Domino/Traveler Servers can still be accessed using SSL 3. When IBM released the "POODLE Fix" for Domino, too, you should and can switch off SSL 3 for the internal connections.    

    You will have to update your Connection Manager and please check if your Gatekeeper is already running the latest Gatekeeper release (6.1.5.1 from March 2014).

    Check out Technote SWG2188204 for more details: here

    Get the downloads via Fix Central: here

      IBM Technote regarding POODLE and SHA-2 - We have a fix for it

       21 Oktober 2014 18:17:36
      Today IBM published two Technotes, in which IBM announced two new Interims Fixes.

      The first one will bring native SHA-2 support to Domino for HTTP, SMTP, IMAP, POP3 and LDAP.
      The other one will take care for the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack issue:


      IBM intends to release Domino server Interim Fixes over the next several weeks that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to mitigate against POODLE. Implementing TLS 1.0 will allow browsers to still connect to Domino after they have been changed to address the POODLE attack, and Domino will protect against browsers that have been compromised by POODLE.


      The POODLE Fix will be available in the next few days for 8.5.3 and 9.0.x. The SHA-2 fix will be available in the next few weeks for Domino 9.0.x only.

      Many thanks to Dave Kern for make this possible!

      Details here:

      Technote for (POODLE )TLS: http://www-01.ibm.com/support/docview.wss?uid=swg21687167
      Technote for SHA-2: http://www.ibm.com/support/docview.wss?uid=swg21418982

      Mac OS 10.10 - Yosemite running Notes 9.0.1

       17 Oktober 2014 14:35:55
      Apple hat gestern Mac OS 10.10 (Yosemite) freigegeben.

      Die IBM hat heute eine spezielle Version des IBM Notes Clients (9.0.1 Slipstream) veröffentlicht, da der IBM Installer von 9.0.1 Yosemite nicht richtig erkennt:


      "IBM Notes 9.0.1 Social Edition can't be installed on this computer. This can only be installed on Mac OS X 10.6 or above. Current OS Version is too low."


      Der sogenannte Slipstream Client ermöglicht die Neuinstallation eines Notes Clients unter Yosemite.

      Falls vor dem Update auf Yosemite bereits ein Notes Client auf dem Mac installiert war, ist keine Neuinstallation notwendig. Es sollte allerdings entweder vor oder direkt nach dem Yosemite-Update der Notes Client auf 9.0.1 FP2 aktualisiert werden.

      Generell muß nach dem Yosemite Update die Java Runtime neu installiert werden:

      Installationsreihenfolge:


      Step 1: Install the legacy Java SE 6 runtime from Apple: http://support.apple.com/kb/DL1572
      Step 2:
      Download and install the Mac IBM Notes 9.0.1 slipstream,
                  which will be released by end of day on Thursday, October 16, 2014  
      Step 3
      : Install Notes 9.0.1 Fix Pack 2 or higher


      Partnumbers des IBM Notes 9.0.1 Slipstream Clients:
      IBM Notes 9.0.1 Mac English
      CN15IEN
      IBM Notes 9.0.1 Mac Simplified Chinese and Traditional Chinese
      CN150ML
      IBM Notes 9.0.1 Mac Japanese and Korean  
      CN151ML
      IBM Notes 9.0.1 Mac French, Brazilian Portuguese and Spanish
      CN152ML
      IBM Notes 9.0.1 Mac Italian and German
      CN153ML
      IBM Notes 9.0.1 Mac Danish and Dutch
      CN154ML
      IBM Notes 9.0.1 Mac Finnish, Norwegian and Swedish
      CN155ML
      IBM Notes 9.0.1 Mac Polish and Russian
      CN156ML
      IBM Notes 9.0.1 Mac Portuguese and Turkish
      CN157ML



       

      Siehe auch IBM Technote: 21682510