Public Wiki

Classic USAS & USPS Web App and SOAP Release

SSDT Wiki Updates - Mon, 04/16/2018 - 4:15pm

Page edited by Dave Smith

The following Classic web applications are available for download via INSTALL_PACKAGE DOWNLOAD or http://nwoca.org:8000/oecn_download:

ApplicationVersionFilenameUSAS SOAP2.8.1usassoap.warUSAS Web Application2.8.1usasweb.warUSPS SOAP1.11.1uspssoap.warUSPS Web Application1.12.1uspsweb.warRelease Notes:

The above versions contain a single patch to prevent a serious session handling bug in the OECN RPC service based on OECN VXS.  See below for details.   All ITC's are encouraged to implement these versions as soon as possible.

Prior to installing these versions, you must also install OECN$RPC_OECN.EXE from OECN_OOPS.


Details

In rare circumstances, the OECN VXS sessions of  two users of crossed become "crossed".    Two users, who login at within 200 milliseconds of each other, may gain access to the wrong session.   When this occurs, one or both of the users is attached to the another user's session and has full access to that user's data and permissions.  This situation has been reported to the SSDT three times since the deployment of OECN VXS.

Due to the nature of the defect, has been impossible for the SSDT to reproduce the problem and conclusively determine the flaw in the code.  Therefore, the underlying problem with VXS has not been resolved.  However, the above versions of the applications contain code which check for and defend against the defect.  If the applications detect that they have been connected to the wrong session, they will abort with an error message and return the user to the login screen.







View Online · View Changes Online Dave Smith 2018-04-16T20:15:29Z
Categories: Public Wiki

Classic USAS & USPS Web App and SOAP Release

SSDT Wiki Updates - Mon, 04/16/2018 - 4:06pm

Page added by Dave Smith

The following Classic web applications are available for download via INSTALL_PACKAGE DOWNLOAD or http://nwoca.org:8000/oecn_download:

ApplicationVersionFilenameUSAS SOAP2.8.1usassoap.warUSAS Web Application2.8.1usasweb.warUSPS SOAP1.11.1uspssoap.warUSPS Web Application1.12.1uspsweb.warRelease Notes:

The above versions contain a single patch to prevent a serious session handling bug in the OECN RPC service based on OECN VXS.  See below for details.   All ITC's are encouraged to implement these versions as soon as possible.

Details

In rare circumstances, the OECN VXS sessions of  two users of crossed become "crossed".    Two users, who login at within 200 milliseconds of each other, may gain access to the wrong session.   When this occurs, one or both of the users is attached to the another user's session and has full access to that user's data and permissions.  This situation has been reported to the SSDT three times since the deployment of OECN VXS.

Due to the nature of the defect, has been impossible for the SSDT to reproduce the problem and conclusively determine the flaw in the code.  Therefore, the underlying problem with VXS has not been resolved.  However, the above versions of the applications contain code which check for and defend against the defect.  If the applications detect that they have been connected to the wrong session, they will abort with an error message and return the user to the login screen.






View Online Dave Smith 2018-04-16T20:06:01Z
Categories: Public Wiki

2018 Releases

SSDT Wiki Updates - Mon, 04/16/2018 - 3:30pm

Page added by Dave Smith

View Online Dave Smith 2018-04-16T19:30:41Z
Categories: Public Wiki
Syndicate content