This section lists the customer-escalated issues resolved for the Sun Java System Application Server 7, Update 6, Update 7, Update 8, Update 9, Update 10, and Update 11.
Table 1–3 Fixed Bugs in Sun Java System Application Server Update Releases
Bug Number |
Description |
---|---|
4942513 |
Application server crashes in NSAPI SAF flex-log. |
6465923 |
Connection pool problem when database restarted repeatedly. |
6528257 |
Security vulnerability reported in Sun Alert ID: 102696. |
4751904 |
Broken links in the ConfigMQSeries.html page. |
4771657 |
Stateless checker application used stateful bean instead of stateless bean. |
6546242 |
Too many cursors are open when connection pool validation is enabled. |
6587224 |
Issues with URLEncode. |
2136080 |
Application Server 7 Update 8 and 2004Q2 UR4 were exposed to cross-site scripting vulnerability. |
2136202 |
Exception thrown during the closure of a connection by the pool was leading to a connection leak. |
2136203 |
Application Server 7.x connection pool did not manage failed connections well. Because of this, applications were unable to get connections later. |
2136707 |
On restart, initPool was throwing IllegalStateException and “jdbc pool not initialized (JDBC fails)” error message. |
6360036 |
Certificate was not getting deleted. |
2127923 |
The process appservd used to take up CPU resources when primordial appservd was not present |
2127992 |
On RH3 Linux, the process appservd was crashing intermittently and this was caused by LinuxKernelStats (when stats-init is on). |
2130022 |
Application Server 7.x was crashing with CORE3148: failed to wait on signals. |
6223368 |
The ACLs, when created, were not showing up in the Application Server 7, Administration Console. |
6285724 |
HTTP request smuggling issue wherein for requests of the type "GETorPOST / HTTP/1.x" with content-length and body, Application Server returns index.html. It does not close the connection, reads the body, and treats the body as the next request. |
6286783 |
Server was not rejecting requests with double ’Content-Length’ headers. |
6308777 |
If %C0%AE%C0%AE (representation of .. [dotdot] in UTF-8 format) exists in the URL, it will allow only JSPs to get executed anywhere in the system. This should not be allowed if one tries to go beyond the context root. In the case of ACLs, for protecting a specific JSP file, it is the user’s responsibility to change/modify this ACL to wildcard ACLs to protect more. |
6324565 |
Web Server was not responding correctly when handling the "if-unmodified-since" header. It was sending back the actual content with 412 code for requests with ”if-unmodified-since’ and range. |
2127693 |
On Solaris, the user was not able to change the smux port of the Application Server subagent. |
6197275 |
New installation of Sun Java System Application Server Update 5 creates the cert7.db instead of cert8.db certificate database. |
2126023 |
Adding a principal to a security role and removing a principal from a security role did not work as expected after re-deployment. |
2126024 |
Server-Parsed HTML led to the display of JSP sources with a trailing ’/’ in the URI. |
2126025 |
Application Server Reverse SSL Proxy plugin was vulnerable to MITM attacks. |
2126026 |
Missing synchronization in the connection pool could cause deadlock. |
2126242 |
Session Timeout did not appear to be taking into account the last access time. |
6240424 |
A default error page had a cross-site scripting vulnerability. |
6580257 |
Session rewrite where jroute cookie ID is added to the end of the URL causes Query string error. |
6659235 |
Avoid calling Detach and AttachCurrentThread when TSD destructors are called. |
6789543 |
Version needs to be updated. |
6789699 |
Bundled Java Developer Kit (JDK) needs to be updated to 1.4.2_18. |
6628471 |
Bundle new NSPR library (4.6.8) for fix to CR#6596161. |