Only a few days after discovering a cross-site scripting vulnerability in IBM Sametime, a fix is available in IBM Fix Central.
The security issue may affect stand-alone, embedded and web clients, but not mobile and basic clients and not Sametime version 8.0.1, 8.0.0 or 7.5.1.
More details and the appropriate fix can be found here: Fix available for potential security vulnerability in IBM Sametime.
If you are using Domino security policies – e.g. to define password quality or password change interval - and the “Lockout ID” functionality to prevent users from accessing the Lotus Notes environment, you should pay attention to the following technote:
-> Global policy setting ignores ‘Lockout ID’ setting in Person document
From what I have tested so far it doesn’t matter whether it’s a global / organizational or explicit policy. As soon as you assign a policy including a security setting document to a user, setting the “Check password” field to “Lockout ID” has no effect and the user can still access the Domino server.
I bet there are many Domino administrators out there who wrongly trust the “Lockout ID” feature :-)
After upgrading to IBM Connections 3.0.1 (the same happened from 2.5 to 3.0) do not forget to check your module security settings if you adjusted them. The installer sets the default values (at least in some modules) so that your Connections environment may be accessible for everyone.
Verify your settings in the ICS under Enterprise Applications -> [Module] -> Security role to user / group mapping.
More information about the different roles -> Roles in Connections 3.0.1
Auf Grund eines möglichen Stack Overflows im Sametime Multiplexer (MUX) soll der Sametime Server angreifbar sein, dies wurde zumindest von der Zero Day Initiative an IBM gemeldet. Aber keine Angst, die Ursache ist in Version 8.0.1 gefixt und für Sametime 7.5.1 CF1 gibt es einen Hotfix.
