Fix available for potential cross-site scripting (XSS) security vulnerabilities in Classic Sametime Meetings Web Application

Fix readme


Abstract

A fix is available for a potential cross-site scripting (XSS) security vulnerability that has been identified in connection with the IBM Classic Sametime Meetings Web Application.

Content

A fix is available that removes the vulnerability in the Classic Sametime Meetings server.
Please see the following security bulletin:

"Security Bulletin: Vulnerability in Classic Sametime Meetings Server (CVE-2013-0535)"

Sections below:

  • Affected products
  • Fix download links
  • Installation instructions for each version


Affected products




This potential vulnerability affects the following servers when using the Classic Sametime Meetings server web application to manage and join meetings:
  • IBM Classic Sametime Meetings server 8.5.2.1 and prior releases


Fix download links




The fix for this security vulnerability is posted to IBM Fix Central. Refer to the table below for direct links to the fix by version.


Classic Sametime Meetings server version Fix delivery vehicle
8.5.2.1 fix pack: 8520-ST-STConf--FP-RPOH-96GPGP
8.5.1.2 fix pack: 8510-ST-STConf--FP-RPOH-96GPDW
8.5 fix pack: 8500-ST-STConf--FP-RPOH-96GPAK
8.0.2 fix pack: 8020-ST-STConf--FP-RPOH-96GP75
8.0.1 fix pack: 8010-ST-STConf--FP-RPOH-96GP3Z
7.5.1.2 fix pack: 7511-ST-STConf--FP-RPOH-96GNYC




Installation Instructions



Follow the specific installation instructions below for your particular version of Classic Sametime Meetings server.


    Installation Instructions Version 8.5.2.1


      1. Bring down the Domino and Sametime server.

      2. Unzip the DateFormatFix.zip file into the server directory: .../Lotus/Domino/java
        You should end up with this file/path being extracted:

          .../Lotus/Domino/java/com/lotus/sametime/meetingcenter/NotesLocalizedString.class
        Note: There is more than one "java" directory on the server; make sure you are unzipping the file under the ../Lotus/Domino directory.

      3. Backup stconf852.ntf in a directory not under your Domino directory.

      4. Copy the new stconf852.ntf to your Domino data directory.

      5. Replace the design of stconf.nsf with the new stconf852.ntf.

      6. Bring up Domino and Sametime.


    Installation Instructions Version 8.5.1.2


      1. Stop the server and backup stconf851.ntf.

      2. Replace the stconf851.ntf template on the server.

      3. Replace the design of stconf.nsf with the new template.

      4. Start the server.



    Installation Instructions Version 8.5


      1. Stop the server and backup stconf85.ntf.

      2. Replace the stconf85.ntf template on the server.

      3. Replace the design of stconf.nsf with the new template.

      4. Start the server.


    Installation Instructions Version 8.0.2


      1. Bring down the Domino and Sametime server.
        Edit the notes.ini file to not have the STADDIN in this statement, if this is how the Sametime server is launched:

          ServerTasks=Update,Replica,Router,AMgr,AdminP,CalConn,Sched,HTTP,LDAP,RnRMgr,staddin

        Unzip the hotfix files into a temporary directory. You will have the following files:
          stconf802.ntf
          stsrc.nsf
          webminilogin.js
          DateFormatFix.zip
      2. Backup the original stconf802.ntf, stsrc.nsf, and webminilogin.js (webminilogin.js is located in \\Lotus\Domino\data\domino\html\sametime\)

      3. Replace with the new stconf802.ntf, stsrc.nsf, and webminilogin.js.

      4. Bring up Domino only!

      5. Replace the design of stconf.nsf with the new stconf802.ntf.

      6. Unzip the DateFormatFix.zip file into the server directory: .../Lotus/Domino/java

      7. Copy the directory on the server:

        .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en

        into a new directory:
          .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_GB
        and
          ../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_AU

        NOTE: The end result will have 3 directories total with the same content but different names as follow:
          Original directory: .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en
          New directory 1: .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_GB
          New directory 2: .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_AU

      8. Open up a Notes client and edit stconfig.nsf on the server; open the
      MeetingServices document; edit the field " Conference Started Event Field Names" and add the entry " STSignerAccess" to the end of the list.
        EXAMPLE:

        Meeting Scheduler Settings:
        Refresh Interval (millisec): 5000
        Conference Started Event Field Names: handle; state; StartDateTime; EndDateTime; Subject; STMeetingID; STActivityIDs; STMediaType; STAudioID; STIsBroadcast; InvitedServers; CalendarDateTime; CHAIR; moderator_cn; password; STIsEncrypted; STEndMeetingNow; STIsInvited; STConnectionProfile; STHasWhiteboardContent; STIsUnlisted; STIsModerated; options; STMeetingCenterVersion; STStartupMode; ConferenceReaders; InviteeList; STTopProviderAddress; STPanel; STCreator; STRecord; STRecordFile; STMaterialsNamespace; UnInvitedServers; STAudioBridgeConferenceID; STAudioBridgeClientID; STAudioBridgePasscode; STAudioBridgeClientPassword; STOrganization; STRecordingID; STAudioBridgeConferenceDocument; Body; STSignerAccess
        Places Field Names: T120ConferenceHandle; STIsEncrypted; STMediaType; STOrganization

      9. Save stconfig.nsf changes.

      10. Bring down Domino.

      11. Bring up Domino and Sametime.



    Installation Instructions Version 8.0.1


      1. Stop the Sametime server.

      2. Backup stconf801.ntf, webminilogin.js, and stsrc.nsf.

      3. Replace the design of stconf.nsf with the new stconf801.ntf.

      4. Copy stsrc.nsf to the Domino/Data directory.

      5. Copy over webminilogin.js in \\Lotus\Domino\data\domino\html\sametime\

      6. Unzip the DateFormatFix.zip file into the server directory: .../Lotus/Domino/java

      7. Copy the directory on the server:
        .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en
        into a new directory:
      .
          ../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_GB
        and
          ../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_AU
        NOTE: The end result will have 3 directories total with the same content but different names as follow:
        Original directory: .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en
        New directory 1: .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_GB
        New directory 2: .../Lotus/Domino/data/domino/html/sametime/stmtghelp/en_AU

      8. Open up a Notes client and edit stconfig.nsf on the server; open the
      MeetingServices document; edit the field " Conference Start Field Names"
      and add the entry "STSignerAccess" to the end of the list.

      9. Save stconfig.nsf changes.

      10. Start the Sametime server.


    Installation Instructions Version 7.5.1.2


      1. Stop the Sametime server.

      2. Backup stconf751.ntf and stsrc.nsf.

      3. Copy the attached stconf751.ntf and stsrc.nsf to the data directory.

      4. Replace the design of stconf.nsf with the new template.

      5. Start the Sametime server.

    Rate this page:

    (0 users)Average rating

    Document information


    More support for:

    IBM Sametime
    Classic Meeting Server

    Software version:

    7.5.1.2, 8.0.1, 8.0.2, 8.5, 8.5.1.2, 8.5.2.1

    Operating system(s):

    AIX, IBM i, Linux, Solaris, Windows

    Reference #:

    1635545

    Modified date:

    2013-04-30

    Translate my page

    Machine Translation

    Content navigation