cm1 5.3 SR1 20190520 Patch

Patch ID - 5315_20190520

This is a cumulative/rollup patch for CM1 5.3 SR1 that includes a new Bulk Upload Gadget, security updates, and defect corrections.  This patch is a replacement version of the 5315_20190412 patch that includes a correction for Publish Dates.  If you have already installed the 5315_20190412 patch, this patch may be installed without issue. 

If you have installed the 5315_20190412 patch:

This information is only relevant for customers that had previously applied the 5315_20190412 patch, other customers can ignore this step.  The 20190412 patch had an issue where when publishing was run, the Content Post Date or Publishing Date for any published pages was incorrectly set to the current date, even if the page has been previously published.  This could cause features like Blog Lists, or Event lists to show old content as being new.  Applying the 5315_20190520 patch will resolve that problem, however a database update is required to restore the original Content Start date.

1. From an Admin account, access the SQL Tool, at http(s)://instance:port/Rhythmyx/test/sql.jsp.
2. Run the following SQL: 

MySQL / Derby Database
 UPDATE CONTENTSTATUS c SET CONTENTPOSTDATE=(select MIN(csh.EVENTTIME) from CONTENTSTATUSHISTORY
 csh where csh.TRANSITIONLABEL = ‘Live’ group by csh.CONTENTID HAVING csh.CONTENTID=c.CONTENTID)
 WHERE c.CONTENTPOSTDATE BETWEEN ‘2019-05-20 00:00:00’ AND ‘2019-05-20 23:59:59’

Microsoft SQL Server Database
UPDATE CONTENTSTATUS SET CONTENTPOSTDATE=(select MIN(csh.EVENTTIME) from CONTENTSTATUSHISTORY csh where csh.TRANSITIONLABEL = 'Live' group by csh.CONTENTID HAVING csh.CONTENTID=CONTENTSTATUS.CONTENTID)
 WHERE CONTENTSTATUS.CONTENTPOSTDATE BETWEEN '2019-05-16 00:00:00' AND '2019-05-30 23:59:59'

Adjust the dates in the query to match the date that you installed the 20194012 patch and the current date. This will restore any incorrectly updated Content Post Dates back to the original Content Post Date.  If you need any assistance with this please contact Support. 

Uninstalling the Patch

This patch includes an uninstall option to support rollback in the event the patch introduces a problem or issue. The patch can be downloaded from the Support portal. For instructions on installing or uninstalling the patch, please review the Readme file provided in the patch folder.

An updated list of Known Issues can be found at the bottom of this page.

For details on bug fixes and improvements in previous patch updates, please see the release notes for prior patches.  Links to prior patch release notes are provided below:

• 5315_20190326
• 5315_20190220
• 5315_20181210
• 5315_20181017
• 5315_20180816
• 5315_20180621
• 5315_20180523
• 5315_20180501
• 5315_20180409
• 5315_20180405
• 5315_20180315
• 5315_20180306
• 5315_20180301
• 5315_20180125
• 5315_20180105
• 5315_20171120
• 5315_20170606
• 5315_20170317
• 5315_20161102

Installation Notes & Common Issues

Database Updates

Beginning with Patch 5315_20181221 the update engine now supports database schema updates as part of the update process.  As a result the patch relies on the installer database configuration file to successfully run.  In environments where the database setup has changed, or a server / RDBMS migration has occurred, it is possible that the installation database configuration file may be out of date which would cause the patch to fail.  To avoid this problem, prior to installing the Patch verify that the contents of the <InstallDir>/rxconfig/Installer/rxrepository.properties file are correct.  Updating this file is covered in the Appendix A section of the Migrating Percussion Environments help page. 

Common Issues / Workarounds

Updates can occasionally Fail to apply for a variety of reasons.  To help streamline troubleshooting, we have created a new Common Issues / Workarounds page to collect the steps to correct these issues if you run into them when patching.  As always if you run into a problem applying a patch, please contact the Technical Support team at percussion.support@intsof.com, and they will be happy to assist.

Issues addressed in this patch:

[CMS-5696] - Regression - After patching, Page Content Post Dates are reset to the current date

A regression was corrected with publishing where the Content Post Date was incorrectly set to the current date as Pages were published.  This  could cause older content on the site to incorrectly appear to be new to site visitors. 

[CMS-5598] - Security: Secure LDAP connections are incorrectly defaulting to using TLS1.0

An critical CM1 specific security issue was corrected where LDAPS connections were defaulting to the end of life, TLS 1.0 security protocol. The LDAP connectivity code has been updated and will now default to TLS 1.2, falling back to TLS 1.1 if TLS 1.2 is unavailable. 

[CMS-5602] - Security: CM1 generates http urls pointed at port 443 when run behind an https proxy server

When the HttpsRequired server property was defined and a proxy server or load balancer was deployed in front of a CM1 instance, the server would incorrectly generate certain URL to use the http protocol on port 443.  This prevented some proxy deployments in front of CM1.  This issue is corrected in this patch and CM1 can now be deployed behind an Https proxy server without issue. 

[CMS-5653] - Secure Sites: Missing JSON-Simple Dependency

Certain Customers using a customized Secure Sites deployment reported a missing file after applying the latest patch and resetting their Secure Site configuration.  This file has been included in this patch.  When resetting Secure Site configuration we recommend that customers clear out the WEB-INF/lib directory on the published site prior to performing the Full Publish.  This will insure that the updated Secure site configuration is deployed cleanly. 

[CMS-5656] - Security - JCR Search Tool: Reflected Cross Site Scripting Vulnerability

An XSS vulnerability was reported and corrected with the JCR Search Tool. Using the vulnerability an attacker could inject script and markup into the JCR Search parameters . That injected script could then be executed by the JCR Search tool when query results were returned to the browser.  In addition, query results including script or html in data could be executed in search results. These issues have been corrected in this patch. 

[CMS-5659] - Security - Legacy Workflow Editor: Reflected Cross Site Scripting Vulnerability

An XSS vulnerability was reported and corrected in the legacy Workflow Editor.  Using the vulnerability an attacker could inject script and markup into the database via Workflow Editor screens that accepted text input. That injected script could then be executed by the Workflow Editor when data was loaded by the web browser.  This issue is resolved in this patch. 

[CMS-5660] - Security: Update perc_common_ui.js to support latest JQuery 3.4 version

Customers that have updated the <InstallDir>/web_resources/cm/jslib/jquery.js file to the 3.4 version for use on their published website can now do so without running into errors with the common-ui JavaScript library used by Percussion Widgets.

[CMS-5662] - Security: Chrome update 74 blocks uploads via the Bulk Upload Gadget

The Bulk Upload Gadget has been updated to no longer require the Adobe Flash browser plugin and has been tested for compatibility with the latest Google Chrome update.  

[CMS-5673] - Security: SQL Test Tool: XSS Script reflection vulnerability

An XSS vulnerability was corrected where the Admin only SQL Test tool could potentially reflect HTML/Script markup that had been stored in the backend content repository.  With this update, the tool will now encode any HTML or JavaScript markup and render the source code instead of executing it. 

[CMS-5675] - Unable to save users with Role changes

An issue was reported where it was not possible to save Role changes for LDAP users after installing the previous patch.  This issue is corrected in this patch. 

[CMS-5677] - PageAutoList incorrectly logs an error to the JavaScript console when no results are found, should be an info

An issue was reported where Page Auto Lists would write an error to the JavaScript console if no results were found by the Auto List query.  The code has been updated to change this to an info message instead.

[CMS-5621] Broken Link on Supported Browser Screen

A minor issue was corrected where the link to the system requirements on the help site was broken from the Supported Browser screen.  This issue is corrected by this patch. 

[CMS-5679] Security - Update embedded DTS Tomcat to 7.0.94

The embedded Tomcat server has been updated to the 7.0.94 version of Tomcat for Security updates and bug fixes.  The Tomcat 7 change list can be found here:  https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

[CMS-5678] Performance: Parallel publishes can cause deadlocks and crash Percussion service

A problem was corrected when it was possible for parallel publishes, and concurrent edits of files being published could create deadlocks, or crash the Percussion service.  The root cause of this problem was identified and this patch should correct this performance issue. 

Known Issue List

• [CMS-5680] Performance - DTS Logs getting flooded with errors when perc-common-ui is accessed from published pages

  An issue has been reported where the catalina.log seems to get flooded with Null pointer exceptions whenever the CORS resource was accessed by a dynamic widget.  The request is still processed. We are still investigating the problem.

• CMS-5294 - The Ignore Unmodified Assets publishing feature does not work correctly on systems with 2000 or more Assets.  We recommend that this option be unchecked in your publishing configuration to avoid publishing failures. 
• CMS-3614 - After applying the patch end users may need to clear their browser cache in the CM1 user interface in order to see the new changes to the Rich text Editor and plugins.
  
• CMS-3257 - Customers using the MySQL database server as the backing database for the DTS, will lose the MySQL Connector jar if it was previously placed into the <InstallDir>/Deployment/Server/perc-lib directory.  To correct this problem the MySQL Connector for Java may be installed or symlinked into the <InstallDir>/Deployment/Server/lib directory. Percussion does not include this connector as part of our installation due to license incompatibility issues.
• CMS-3490 - Customers patching the DTS on Windows Servers will need to reinstall the DTS Windows service by using the "<InstallDir>\Deployment\Server\bin\service.bat remove" and  "<InstallDir>\Deployment\Server\bin\service.bat install" commands. Once the service has been successfully re-installed, the Percussion DTS Windows Service will start.