Reflection 14.1 Service Pack 4 Release Notes

The Reflection Windows-based products version 14.1 Service Pack 4 (SP4) is available to maintained users who already have 14.1 installed and to customers who have downloaded and installed the version 14.1 evaluation package. This technical note provides information about how to obtain the service pack and a list of fixes included in the service pack. This note also includes fixes in Reflection FTP Client 14.1 SP4, which is included with all of the products listed in the Applies To section.

Note: Service Pack 4 is superseded by Service Pack 4 Update 1, which released in August 2015. See KB 7021743.

• Service Pack 4 includes features and fixes previously released in Reflection 14.1 Service Pack 3 Update 1. For a list of these features and fixes, see KB 7021738.
• Service Pack 4 includes features and fixes previously released in Reflection 14.1 Service Pack 3. For a list of these features and fixes, see KB 7021736.
• For important information regarding security updates and Reflection products, see https://support.microfocus.com/security/.

Before you apply the update, note the following:

• Service Packs are available to licensed Attachmate customers with current maintenance plans for these products. For information about logins and accessing Attachmate Downloads, see KB 7021965.
• If you have installed (or plan to install) Reflection Administrator's Toolkit, you must use the latest version of the Toolkit. The Reflection Administrator's Toolkit features may not work correctly if you are running a version of Reflection that is newer than your Toolkit version. The latest version of Reflection Administrator's Toolkit, ratkit-14.1.4-prod-w32.exe, is available for download from Attachmate Downloads. If you have not yet installed this version of the Reflection Administrator's Toolkit, you need to download and install the latest Reflection Administrator's Toolkit in addition to installing this service pack.
• Removing Reflection software packages will result in your users losing settings information for those components that store this information in the registry. This affects Reflection X, Reflection Windows-based products, and the FTP client. To save these settings, refer to KB 7021647.

Obtaining the Service Pack

The latest Reflection 14.1 Service Pack is available from Attachmate Downloads, https://download.attachmate.com, and applies to version 14.1 of the following products:

If you have the 64-bit components of Reflection X version 14.1 installed, you must apply the 64-bit service pack.

Note: If you have more than one Reflection product installed on a workstation, applying this service pack will update all products at the same time. (It is not possible to run multiple versions of Reflection Windows-based products on the same workstation.)

See the following technical notes for information about applying the service pack:

Supported Platforms

For information about platform support in Reflection, see KB 7021763.

Reflection for IBM 14.1 SP4

• Local folders in the Transfer window (File > Transfer) are no longer duplicated when a session is launched from a session file that is saved in a hidden folder.
• When using IND$FILE, the show Host Files now correctly displays the TSO host file listing when the leading character of the login ID/filename qualifier is a special character such as “$” or “@”.
• The Reflection for IBM VersionString property now returns the same value that is displayed in the Help > About Reflection dialog box.
• When TLS 1.0 is selected, Reflection now correctly enforces the “Retrieve and validate certificate chain” setting for all connections.
• Host name resolution is now successful for SSL connections in an IPv6-only network.
• Reflection now correctly handles hotspots with double-byte characters.

Reflection for UNIX and OpenVMS 14.1 SP4

• Leaving the Secure Shell change password dialog box open during a period of inactivity and/or failed attempts no longer causes the Reflection session to freeze.

Also see Secure Shell Changes.

Reflection for HP 14.1 SP4

• Leaving the Secure Shell change password dialog box open during a period of inactivity and/or failed attempts no longer causes the Reflection session to freeze.
• When configuring a PKCS #11 provider in the Reflection Certificate Manager, selecting an invalid DLL no longer causes Reflection to close with an AccMgr32.exe application error.

Also see Secure Shell Changes.

Reflection X 14.1 SP4

• This service pack includes a number of security fixes provided by X.Org. These include changes to font server protocol handling and GLX to prevent buffer overruns and denial of service attacks.
• This service pack adds support for GLX_EXT_texture_from_pixmap, which is one of several requirements for Gnome 3.0 full functionality.
• When Gothic font is selected in Gnome-terminal on a Linux host, single-byte characters now display correctly.
• Reflection X will no longer prompt for a user name if it was already supplied for SSH, Telnet, and/or Rlogin connections.
• XDMCP sessions to very old VMS hosts no longer cause Reflection X application errors.
• Running the FluidMark benchmark through Wine will no longer cause a Reflection X application error.
• Reflection X client files that with particular Japanese Kanji characters in the .rxc filename now show up as expected in the Reflection X tree.

Also see Secure Shell Changes.

Reflection FTP Client 14.1 SP4

• This service pack resolves a problem that can cause a Reflection FTP Client application error when you are connected to a server and perform actions on the file system after viewing the Site Properties dialog box.

Also see Secure Shell Changes.

Secure Shell Changes

The items in this section include changes that affect Secure Shell connections in all products that support this connection type, as well as changes to the Secure Shell command line utilities that are provided with these products.

Improvements

• You can now use the scp command to copy files to a different location on the same server. Commands of this type no longer fail with a message that says, "Couldn't open local file <file> for writing: (123) The filename, directory name, or volume label syntax is incorrect."
• The Reflection Key agent now supports multiple concurrent connections from a single emulator.

Resolved Issue

When an unknown host key fingerprint message is displayed, it now shows the host key using "ssh-rsa" format, which matches the format used in Reflection for Secure IT servers.

Security Fixes

For a summary of all security updates that affect Reflection, see https://support.microfocus.com/security/. This service pack includes fixes for the following reported security vulnerabilities:

• CVE-2014-0224 (TLS/SSL MITM) - This service pack fixes a vulnerability in OpenSSL that could allow an attacker with a man-in-the-middle vantage point on the network to decrypt or modify traffic.
• CVE-2014-5211 - Attachmate Reflection FTP Client Stack Buffer Overflow Remote Code Execution Vulnerability
• CVE-2014-0605 - Attachmate Reflection Secure FTP Client ActiveX Control Remote Code Execution Vulnerability
• CVE-2014-0604 - Attachmate Reflection Secure FTP Client ActiveX Control Remote Code Execution Vulnerability
• CVE-2014-0603 - Attachmate Reflection Secure FTP Client ActiveX Control Multiple Memory Corruption Remote Code Execution Vulnerabilities and Attachmate Reflection Pro FTP ActiveX Control Untrusted Pointer Dereference Remote Code Execution Vulnerability

Legacy KB ID