Reflection for Secure IT Windows Server 7.2 Service Pack 1 Update 1 - Features and Release Notes
Technical Note 2566
Last Reviewed 24-May-2012
Reflection for Secure IT Windows Server version 7.2 SP1 or higher
Reflection for Secure IT Windows Server 7.2 Service Pack 1 (SP1) Update 1 is available for maintained customers. This technical note lists the features and fixes included in Update 1 and SP1, and provides information about how to obtain your updated service pack.
Note: For information about Reflection for Secure IT 8.0 Server for Windows new features and release notes, see Technical Note 2642.
Before you apply the service pack, note the following:
- This document references a Reflection service pack. Service packs are available to licensed Attachmate customers with current maintenance plans for these products. For information about logins and accessing the Download Library, see Technical Note 0200.
- Reflection for Secure IT Windows Server version 7.2 SP1 Update 1 is a full product installation and does not require 7.2 to be installed.
- For a list of features originally included in Reflection for Secure IT Windows Server 7.2, see Technical Note 2518.
- For information about the Reflection PKI Services Manager 1.2 release, see Technical Note 2564.
This note is organized into the following sections:
New Features and Fixes in 7.2 SP1 Update 1
- Fix for security vulnerability described in CVE-2012-2110: The Server and certificate utilities (ssh-certview and ssh-certtool) now correctly interpret integer data from a crafted DER X.509 certificate to prevent a buffer overflow attack causing a denial of service. For more information, see Technical Note 2288.
- The SFTP Directories pane has a new setting: "Connect to accessible directories when accessed, instead of at login time." When this setting is enabled, the server does not attempt to access all configured SFTP directories when a user first makes a connection, but waits instead until the user tries to access a directory. This makes the initial connection faster, but means that the user may be denied access to a listed directory that is discovered to be unavailable when the user attempts to access it. Clearing this setting may make the initial logon noticeably slower, but ensures that unavailable directories will not be included in the initial directory listing. This setting is enabled by default.
- User Subconfiguration settings are now properly applied.
- Authentication to a trusted domain is now successful.
- Public key authentication to a UNIX SSH server from within a Windows SSH session no longer fails.
New Features in Reflection for Secure IT 7.2 SP1
Note: The current evaluation package available for download does not include this service pack. If you want to evaluate features that are included in this service pack, please contact Attachmate technical support, http://support.attachmate.com/contact/.
The following new features are included in Reflection for Secure IT Windows Server 7.2 SP1:
- When Reflection for Secure IT is configured to run in FIPS mode, use of the Windows Certificate Store for server certificate signing is now allowed if Windows is also configured to run in FIPS mode.
- Users who belong to multiple Active Directory groups can now access all of their multiple Group Configuration SFTP Directories.
- SFTP transfers now support SFTP version 4. This change provides UTF-8 character support. The default is SFTP version 4, but the server will drop to version 3 if the client doesn’t support version 4.
- You can now configure the server to enable or disable smart copy and resume.
- Browsing SFTP directories are limited by NTFS permissions.
- You can now view the latest debug log file from the Console.
- You can now set a maximum number of public key attempts per session.
- The Reflection for Secure IT server now supports connections to multiple PKI servers. This helps ensure high availability of the validation services provided by the PKI Services Manager.
- The Reflection for Secure IT server supports a new option for retrieving the PKI Services Manager public key. This option simplifies setup for certificate validation. Note: This feature is available beginning with PKI Services Manager 1.2.
- The ssh-certtool utility now supports a FIPS mode option (-f). This option ensures that any PKCS#10 requests include keys that meet FIPS standards.
Resolved Issues in 7.2 SP1
- Downloading files with a UNIX client using the scp utility with the preserve file attributes command line option (-p) preserves timestamps.
- Connections to SFTP virtual directories with UNC paths ending in a backslash are successful.
- You now configure the Login directory by specifying a virtual directory name, instead of a physical directory. As a result, the <virtual root directory> has been removed from the User login directory option.
- The server no longer sporadically stops accepting sftp connections with an "EXCEPTION_ACCESS_VIOLATION" message.
- Using SFTP accessible directory settings for SCP1 no longer causes a "Permission denied in virtual root directory" message.
- The display now renders properly when the columns are set to more than 129 and a "clear" command clears the whole screen.
- Switching the user's credential of the Terminal Provider (cmd.exe) no longer generates an application error.
- Comment lines without any spaces in the authorization file are now allowed.
- The warning "RemoteLogServer for RSSHAP xxx Event data size is unreasonable, ignoring event" is no longer added to the Event Viewer after a successful connection.
- The obsolete TCPNoDelay setting in the server XML configuration file has been removed.
- Fixes for security vulnerability CVE-2010-3190: Updated the Microsoft Redistributable Library files for the untrusted search path vulnerability.
- Fix for security vulnerability described in CVE-2009-2408: Generating certificate signing requests (pkcs10) with the ssh-certtool utility now sanitizes input to CN= and AltSubjName strings to prevent Kaminsky PKI layer cake attacks.
For current information about security alerts and advisories that may affect Reflection for Secure IT, see Technical Note 2288.
Obtaining the Service Pack
Maintained customers are eligible to download the latest product releases, service packs, and updates from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see Technical Note 0200.
Installing the Service Pack
Reflection for Secure IT Windows Server version 7.2 SP1 is a full product installation and does not require 7.2 to be installed.
If you are upgrading an existing copy of Reflection for Secure IT version 7.2, note the following:
- If the server is running when you apply the upgrade, the installer stops the service and any existing client connections will be disconnected.
- We recommend that you back up your server configuration file before upgrading. This may be useful if you want to revert to an earlier version at some point in the future.
- After applying the service pack, you need to restart Windows to complete the installation.
For information about Reflection for Secure IT supported platforms, see Technical Note 1944.