========================================================================== The checksum's (found through sum -r) of the files that you have received (other than this README) are as follows: 41914 3 patchSG0002338 32107 4 patchSG0002338.idb 36841 107 patchSG0002338.outbox_sw ========================================================================== - 1 - 1. Patch_SG0002338_Release_Note This release note describes patch SG0002338 to IRIX 6.3 for O2 (incl. R10K) and IRIX 6.4 Patch SG0002338 replaces patch SG0001724 and patch SG0002222 1.1 Supported_Hardware_Platforms This patch contains bug fixes suitable for all hardware platforms running the supported software platforms described below. 1.2 Supported_Software_Platforms This patch contains bug fixes for OutBox 1.4 on a system running IRIX 6.3 for O2 (incl. R10K) or IRIX 6.4 The software cannot be installed on other configurations. 1.3 Bugs_Fixed_by_Patch_SG0002338 This patch contains fixes for the following bugs in IRIX 6.3 for O2 (incl. R10K) and IRIX 6.4 Bug numbers from Silicon Graphics bug tracking system are included for reference. o 514590 - OutBox domainname security bug This patch also includes fixes from patch 2222: o 498919 - OutBox has numerous security vulnerabilities. o 484580 - webdist has security hole. o 443650 - OutBox wrap doesn't handle mailto or file WebJumpers. Clicking on a WebJumper containing non- http: URL types displays the WebJumper file instead of opening the URL. o 507641 - OutBox should not display RCS source control directories. and also fixes from patch 1724: o 448788 - OutBox publishing tool: clicking on down-arrow to pop up folder selection menu can cause application to exit unexpectedly with a core dump. - 2 - o 453793 - OutBox user web page: clicking on 'Snap' toolbar button to change the user's picture will display an error dialog instead of the mediarecorder image capture tool. Side effects: The fixes for the security-related bugs 484580 and 498919 required removal of the functionality responsible for the security problems. The resulting changes in OutBox behavior are described below: o On the OutBox user page, published files no longer display the "(download)" link. This provided the user with a way to download a document without viewing it. This feature was not secure, and has been removed. The secure way to download a document is by using the browser 'Save Link As' feature. (In Netscape, press Shift-Button1 on the OutBox file, or press the right mouse button over the link to access the feature via a popup menu.) o The script "/cgi-bin/wrap" has been modified. A URL containing the text "/cgi-bin/wrap" can no longer be used to view a document. To access a document from such a URL, simply remove the text "/cgi-bin/wrap" from the URL. Note: the "/cgi-bin/wrap" script is still used in URL's pointing to OutBox folders. URL's pointing to OutBox folders should not be modified. o The script "/cgi-bin/handler" has been disabled. A URL containing the text "/cgi-bin/handler" can no longer be used to download a document. To access the document from such a URL, remove the text "/cgi-bin/handler" from the URL. o The script "/cgi-bin/webdist.cgi" has been disabled for security reasons. To generate a Web Software Distribution Page, use the tool "/usr/etc/webdist" from the command line. See the "webdist" man page for more information. 1.4 Subsystems_Included_in_Patch_SG0002338 This patch release includes these subsystems: o patchSG0002338.outbox_sw.outbox o patchSG0002338.outbox_sw.webdist - 3 - 1.5 Installation_Instructions Because you want to install only the patches for problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch (see Section 1.3), determine the patches that meet your specific needs. If, after reading Sections 1.1 and 1.2 of these release notes, you are unsure whether your hardware and software meet the requirements for installing a particular patch, run inst. The inst program does not allow you to install patches that are incompatible with your hardware or software. Patch software is installed like any other Silicon Graphics software product. Follow the instructions in your Software Installation Administrator's Guide to bring up the miniroot form of the software installation tools. Follow these steps to select a patch for installation: 1. At the Inst> prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Initiate the installation sequence. Type Inst> go 3. You may find that two patches have been marked as incompatible. (The installation tools reject an installation request if an incompatibility is detected.) If this occurs, you must deselect one of the patches. Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 4. After completing the installation process, exit the inst program by typing Inst> quit - 4 - 1.6 Patch_Removal_Instructions To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx where xxxxxxx is the patch number. 1.7 Known_Problems There are no known problems with the patch at this time.