LO82635: WARN BEFORE USING HTTP TO REGISTER CLIENT (CVE-2014-6130)
Closed as program error.
Security evaluation found that the Android client might try connection over HTTP if secure connection initially failed when registering the device for the first time. The change is to only attempt the secure connection by default. If this fails the end user is presented the option to attempt the connection over unsecure HTTP protocol if desired.
Disable unsecure HTTP on the server.
The Notes Traveler client for Android devices would by default attempt registration of the device over SSL then if failed would also attempt over HTTP. This was done as convenience to the end user who often does not know which protocol the customer environment users.
With this change the Notes Traveler client will only attempt the secure connection by default. If this fails the end user has to explicitly indicate that they wish to connect over the unsecure HTTP protocol.
This fix is already deployed in Notes Traveler Client 220.127.116.11 for Android devices on Google Play store. This level of client is also included in Notes Traveler Server 18.104.22.168 IF8 and 9.0.1 IF7 and later deliveries. See this technote for the latest maintenance release information: http://www.ibm.com/support/docview.wss?uid=swg24019529
Reported component name
LOTUS NOTES TRA
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
LOTUS NOTES TRA
Fixed component ID
Applicable component levels