Rhythmyx 7.3.2 20180608 Patch

Patch id: 732_20180608

This patch includes defect corrections, security updates, and enhancements. This patch updates the Velocity Template Engine.  Please see Updating to Velocity 2.0.

Download

Downloads are available via the support portal at https://percussionsupport.intsof.com

Improvements

[RHYT-1735] - Upgrade Velocity Templating Engine & Tools to version 2.0

The Velocity templating engine and Velocity tools have been upgraded to Velocity 2.0.  

Security Updates

[RHYT-1842] - Security - CWE-693 - Add X-Frame-Options to HTTP response headers

See Configuring Secure Headers for more information on this issue. 

[RHYT-1843] - Security - CWE-693 - Add X-XSS-Protection to HTTP response headers

See Configuring Secure Headers for more information on this issue. 

[RHYT-1844] - Security - CWE-693 - Add Content Security Policy to HTTP response headers

See Configuring Secure Headers for more information on this issue. 

[RHYT-1845] - Security - CWE-693 - Add X-Content-Type-Options to HTTP response headers

See Configuring Secure Headers for more information on this issue. 

[RHYT-1846] - Security - CWE-693 - Add Strict-Transport-Security to HTTP response headers

See Configuring Secure Headers for more information on this issue. 

[RHYT-1870] - Security - CWE-693 -  Incomplete or No Cache-control and Pragma HTTP Header Set

See Configuring Secure Headers for more information on this issue. 

[RHYT-1872] - Security - CWE-311 - Secure Pages Include Mixed Content: Error.jsp

A minor security issue was corrected where the default system error page had hard coded http references, causing mixed content warnings when operating the server over https.

[RHYT-1894] - Security - CWE-548 -  Disable directory browsing by default when running under jetty

The default Jetty configuration was hardened to disallow directory browsing for directories with no index page. 

Defects Corrected in the Patch

[RHYT-1366] - Accessibility - Unable to select Content from DCE using keyboard shortcuts

An issue with keyboard navigation in the DCE was corrected.  Tabbing through folders and expanding folders should now work correctly with tab and right arrow keys.  Tabbing to a content item in the Content explorer and using the enter key should now correctly display the content editor for that item. 

[RHYT-1707] - Rhythmyx Language Tool fails to start with class not found errors on Logging jars

An issue was corrected that prevented the Rhythmyx Language Tool for starting.  After applying the patch the tool should start without errors. 

[RHYT-1722] - sql.jsp and logs.jsp utilities needs to be updated to read the jetty log when running under jetty

The Adminstrator and Support utilities /Rhythmyx/test/sql.jsp and /Rhythmyx/test/log.jsp have been updated to correctly read the logs and to include scripts that were previously loaded from a remote CDN. 

[RHYT-1851] - Login Screen DCE - The default focus should be on the password field.

A minor usability issue was corrected to default focus to the password field on the DCE login screen when the login screen is displayd. 

[RHYT-1857] - UTF-8 characters in content rendering with "?" characters / default system encoding under Jetty

The Jetty/defaults/start.d/jvm.ini file has updated to explicity set the the default encoding for the web server to be UTF-8.  Customers that have customized their jvm.ini options in the jetty/base/start.d/jvm.ini file should update the custom jvm.ini configuration to contain the following additional parameters:

-Dfile.encoding=UTF8

-Dsun.jnu.encoding=UTF8

If you have not customized or overriden the defaults/start.d/jvm.ini file with a base/start.d/jvm.ini file then no action is required. 

[RHYT-1866] - JRE.BAK and JRE64.BAK on patch installation should reside in the individual patch's backup folder and not in the Rhtyhmyx_Home folder

Prior patches that updated the JRE backed up the JRE to the <Installation Directory>.  This creates issues when uninstalling / re-installing patches.  The backups have now been moved to the <patch dir>/backups folder. 

[RHYT-1907] - jetty/defaults/etc/perc-webdefault.xml is not overriding the settings in upstream/etc/webdefault.xml

An issue was corrected where the jetty/defaults/etc/perc-webdefaults.xml configuration file was not overriding the jetty/upstream/etc/webdefaults.xml configuration file as per the documentation. This has been corrected in this patch.

[RHYT-1690] - Update server.properties to remove obsolete session related properties

The obsolete and deprecated server.properties related to user sessions have been removed.  Session properties exist in the rxconfig/Server/config.xml file and may be controlled by the Server Properties Editor tool or by editing this file directly. 

[RHYT-1715] - Add support for the SVG file extensions to the default system Mime Types

The SVG mime type will be available in server default content mime/types after installing this patch.  SVG images are supported as Files.  

Known Issues

Java 1.8 update 161-171 - DCE Crashing When Switching between Applications

Client side Java JRE update 161 through update 171 introduced a regression in Oracle's web view JavaFX control that caused the DCE to crash when switching between applications.  Update 172 greatly improves on this issue, with a complete fix by Oracle targetting a July release.

RHYT-1634 - fixes an issue where you could not save in the UI if setting up ssl. There is still an issue where the tool is only currently saving Jetty ssl configuration.  JBoss will need to be manually configured.   If you select a keystore to be used you should make sure you add the jetty server keystore in the jetty\base\etc folder and use just the filename in the UI. in the base\etc\installation.properties file that is updated by the UI the selected filename will be appended with 'etc/' to make it relative to the jetty\base folder. Currently selecting a Full windows path e.g. starting with "c:\" will cause the service to fail to start.  This issue will be addressed in a future patch.

RHYT-1909 - Patch should fail to install if an error occurs backing up or deploying the JRE or JRE64 runtimes

When installing patches it is important to make sure that the user installing the patch has the necessary permissions to create, read, write and delete files in the Rhythmyx installation tree.  Typically under windows this means that the Command Prompt should be "Run as Administrator" and on Linux sudo su <rhythmyxuser>  -.   If an error like a permissions error, occurs during patch install and the JRE folder's cannot be written to.  The patch may log the error to the console but continue to report that the patch was installed successfully.  This issue will be addressed in the next Rhythmyx patch.