Installation of the hotfix for security vulnerability 30815 (UPDATE)

Author: jan.cees.boogaard@uniface.com (JanCees)

The vulnerability can be fixed by replacing the Uniface component usyshttp.svc with the version in the hotfix. There are three different versions of the component. One for Uniface 9.5, patch levels E104 until E124 (last 9.5 patch), one for Uniface 9.6.01 GA until X104 (last patch on Uniface 9.6.01) and one for Uniface 9.6.02 and higher until patch X505 (last patch on version 9.6.05). Uniface version 9.6.06/Service pack MX05 no longer have this vulnerability. The hotfixes can be downloaded from these URLs: Uniface 9.5, E104 – E124: https://download.uniface.com/downloads/Uniface/outgoing/e104-e124/usyshttp.svc Uniface 9.6, 9.6.01GA – X104: https://download.uniface.com/downloads/Uniface/outgoing/9601-x104/usyshttp.svc Uniface 9.6, 9.6.02/MX01 – X505: https://download.uniface.com/downloads/Uniface/outgoing/mx01-x505/usyshttp.svc To be able to download these files, access to the Uniface download site is required.  Registration can be done through the registration section on the download site. In a classic deployment situation the file needs to be copied over the existing one in the …/common/usys directory. In a standard deployment situation the, the component needs to be replaced in the usys.uar (or in the different uar files as used in the installation.) The standard usys.uar is located in the .../common/usys directory. Copying the new component in can be done with the urm utility, which can be found in the …/common/bin directory. The urm.exe needs to be run from the command line as follows: urm.exe copy {file_path}/usyshttp.svc {file_path}/usys.uar:/svc/  (Please note that the final slash after svc is mandatory)   If you have any questions or problems regarding this fix, then please contact Uniface Technical Support.

1 Comment

  1. The hotfix for security vulnerability 30815 has been re-released - the download links have not changed (see previous post in this topic). In case you have downloaded the hotfix before today (January 14, 2015) then please download the updated Uniface component usyshttp.svc and overwrite the usyshttp.svc that was delivered with the initial version of the hotfix. The previous version of the hotfix produced unnecessary debug messages and this problem has now been corrected. If you have any questions or problems regarding this fix, then please contact Uniface Technical Support.


    Author: diseli (daniel.iseli@uniface.com)