[Esri官方补丁]ArcGIS10.1、10.2.1、10.2.2 for Server安全补丁

导语

Esri在2015年二月份发布了关于ArcGIS for Server的安全补丁，Esri建议ArcGIS10.1 SP1 QIP for Server和ArcGIS10.2的用户重点关注该补丁的动态。ArcGIS10.2的用户应该首先打上10.2.1或者10.2.2然后再打该补丁！

ArcGIS for Server Security (January 2015) Patch

ArcGIS10.2.2

ArcGIS 10.2.2 for Server

• BUG-000080898 – Reflected cross-site scripting security (XSS) vulnerability.
• BUG-000081239 – ArcGIS Server has an open redirect vulnerability.
• BUG-000081401 – Multiple cross-site scripting (XSS) vulnerabilities in ArcGIS for Server.
• BUG-000082665 – Disable SSLv3 on the internal tomcat to prevent “POODLE” vulnerability.
• BUG-000083941 – Unable to return attachments larger than a certain size in ArcGIS for Server on Linux.

To avoid conflicts with existing patches, the 10.2.2 patch also addresses these issues:

• BUG-000082423 – Under consistent load, the javaw.exe process at ArcGIS 10.2.2 for Server consumes25% of the server’s RAM, and any further request forces the process to use 100% of the machine’s CPU.
• BUG-000083258 – Add support for CORS in Map/Image Services Tile Handler.
• BUG-000081679 – When publishing to a federated GIS Server that has a config store on a DFS share, item information does not get copied to the portal item.
• NIM103623 – After publishing services to a federated GIS Server, item information is missing for these specific data samples.
• NIM103130 – Some of the tiles fail to generate on demand when the requests are sent through REST connection in ArcGIS for Server 10.2.2.
• NIM102939 – Multiple stored cross-site scripting (XSS) vulnerabilities found. This occurs in ArcGIS Server 10.1, 10.1 SP1, 10.2, 10.2.1, and 10.2.2.
• NIM102197 – Unauthorized access to some resources from secured services is possible in certain circumstances. This occurs in 10.2, 10.2.1, and 10.2.2.
• NIM099582 – ArcGIS Server performance drops when switching the identity store configuration from Active Directory to Active Directory with nested group support.
• NIM098130 – ExportTiles fails for Japanese iOS client due to mangled Japanese characters in JSON responses.
• NIM097651 – Public map services become private and require authentication after a brief disconnect of the config-store when the server is under load.

ArcGIS 10.2.2 for (Desktop, Engine, Server) Geodatabase and Feature Service Sync Optimization Patch

• NIM086295 – On Oracle ST_OrderingEquals is always returning the same value as ST_Equals.
• NIM088321 – User defined spatial index grids are not honored by ArcGIS when using the Add SpatialIndex tool, even though the tool runs successfully.
• NIM089682 – The following error message is returned when editing data that has been migrated from SDEBINARY to ST_GEOMETRY: “ORA-20085: Insert Spatial Reference SRID # does not match <schema.A###.SHAPE> registered Spatial Reference SRID 0″.

ArcGIS for Server Security (January 2015) Patch Issues addressed

• NIM091900 – After applying SP5 for ArcSDE 10, adding a new partition on a ST_Geometry table that contains a spatial index returns the following error: “ORA-29855: error occurred in the execution of ODCIINDEXCREATE routine.”
• NIM094929 – In ArcMap, panning on a feature class created with a partitioned keyword for the ST_Geometry table returns the error “ORA-01000″.
• NIM097633 – The traveltime/distance returned by the OD Cost Matrix solver is occasionally excessively
  high when using a hierarchy compared to when not using a hierarchy.
• NIM097983 – Optimize the opening of map documents by augmenting the geodatabase schema cache to
  include the properties of the sde metadata.
• NIM098475 – Spatial indexes are not created when creating a feature class on an ArcSDE 10 database
  from an ArcGIS Desktop 10.2 Client.
• NIM098917 – When the Network Dataset is allowed to build successfully, if a dirty area remains, an
  HRESULT must be returned so the user knows they are in this unique state.
• NIM099080 – ArcCatalog does not return an error when the versioned view name has over 30
  characters, and fails to be created during Register As Versioned process in an Oracle geodatabase due to
  Oracle’s 30 character limitation.
• NIM099085 – In ArcObjects 10.2, the CreateVersionedView method on the IVersionedView interface
  does not set the versioned view name to the string passed in. This works in ArcObjects 10.1.
• NIM099098 – ST_ASTEXT Function is failing when the result set contains more than one record, and
  when the NUMPOINTS is ~2000 (or more).
• NIM099162 – Use the schema cache when loading map services to improve map service start time
  performance.
• NIM099198 – Use the schema cache when loading map documents in Engine applications to improve
  load performance.
• NIM100049 – The OD Cost Matrix solver is slow when trying to solve from many orders to a single
  distribution center.
• NIM100141 – Missing index on the SDE versions table results in full table scan.
• NIM100273 – Views get overwritten during register as versioned if a view / versioned view of same
  name exists.
• NIM100503 – Loading a very large shape (>15k points) followed by small shape results in ORA-28579:
  error.
• NIM100692 – Filter out multi-versioned views from the list of objects returned by SE_table_list_tables().
• NIM100697 – Change the “_VW” suffix to “_EVW” when versioned views are created, in order to be
  consistent the EVW naming convention when we create MV views.
• NIM100941 – Improve the Performance and Scalability of Creating and Syncing replicas by more
  efficiently caching database information.
• NIM100942 – Deadlocks can happen on SQL server when multiple processes are creating and syncing
  replicas.
• NIM101191 – Create and Sync replica should only activate schema cache if the replica has 10 or more
  datasets
• NIM101804 – Do not return feature datasets in which the connecting user has no access to feature
  classes within.
• NIM101806 – Provide a mechanism to log what release a client is using when connecting to a
  geodatabase. ArcGIS for Server Security (January 2015) Patch Issues addressed
• NIM102077 – ArcGIS reports that an Oracle SDELOB or WKB feature class created in a pre-10.1
  geodatabase does not have a spatial index when it does exist.
• NIM102230 – Do not return the Documentation field on joined queries for Geodatabase internal
  metadata.
• NIM102516 – Syncing where more than 1000 edits are downloaded with more than one client at the
  same time will cause one client to error.
• NIM102517 – Decrease the size of the delta being downloaded to improve performance of download
  time on sync.
• NIM102761 – When the Migrate Relationship Class gp tool is run on an attachment relationship class,
  attachments are no longer attached to the features.
• NIM102762 – When the Migrate Relationship Class gp tool is run on an attributed composite relationship
  class, the composite relationship is not maintained when an origin feature is deleted.
• NIM102848 – Creating a spatial index will pass values gathered from existing enterprise feature classes
  that may be invalid instead of passing correct values.
• NIM102883 – When using a newer client (10.1+) against an older SQL server geodatabase (pre-10.1)
  through an application server connection, creation of a spatial index will fail on GEOMETRY or
  GEOGRAPHY feature classes with “This SDE server does not support this client or operation”.
• NIM102996 – After dropping a spatial index on a binary feature class through an application server
  connection to a pre-10.1 geodatabase in SQL Server, ArcGIS is unable to determine the index is gone.
• NIM103073 – Inserting a row into a table that has a column data type of VARCHAR (4001) will fail with
  “Invalid precision value”.

ArcGIS 10.2.1

ArcGIS 10.2.1 for Server

• BUG-000080898 – Reflected cross-site scripting security (XSS) vulnerability.
• BUG-000081239 – ArcGIS Server has an open redirect vulnerability.
• BUG-000081401 – Multiple cross-site scripting (XSS) vulnerabilities in ArcGIS for Server.
• BUG-000082665 – Disable SSLv3 on the internal tomcat to prevent “POODLE” vulnerability.

To avoid conflicts with existing patches, the 10.2.1 patch also addresses these issues:

• NIM102197 – Unauthorized access to some resources from secured services is possible in certain circumstances. This occurs in 10.2, 10.2.1, and 10.2.2.
• NIM102939 – Multiple stored cross-site scripting (XSS) vulnerabilities found. This occurs in ArcGIS Server 10.1, 10.1 SP1, 10.2, 10.2.1, and 10.2.2.
• NIM100965 – Starting a service with 0 minimum instances causes the service locks not to release if service is consumed while it is starting.
• NIM097651 – Public map services become private and require authentication after a brief disconnect of the config-store when the server is under load.
• NIM100965 – Starting a service with 0 minimum instances causes the service locks not to release if service is consumed while it is starting.
• NIM100306 – In ArcGIS for Server 10.2.1, when a service with the ‘Minimum Instances’ parameter set to zero gets published with errors on a non-default cluster.

ArcGIS for Server Security (January 2015) Patch Issues addressed

• NIM100357 – Setting the code page in the registry does not properly change the code page used by a shapefile on creation.
• NIM098820 – A shapefile created at 10.2, and then consumed and exported in 10.2.1, loses the attribute values in the last field.
• NIM100355- Adding Japanese characters as field names for a shapefile is generating the error: “Failed to add the field to the table /Feature class. The field type is invalid or unsupported for the operation”

ArcGIS10.1

ArcGIS 10.1 SP 1 QIP for Server

 

• BUG-000080898 – Reflected cross-site scripting security (XSS) vulnerability.
• BUG-000081239 – ArcGIS Server has an open redirect vulnerability.
• BUG-000081401 – Multiple cross-site scripting (XSS) vulnerabilities in ArcGIS for Server.
  Note: The fix for issue BUG-000082665(POODLE\SSLv3 vulnerability) is only available in the 10.2.1 and
  10.2.2 patches.

To avoid conflicts with existing patches, the 10.1 SP1 QIP patch also addresses these issues:

• NIM102197 – Unauthorized access to some resources from secured services is possible in certain circumstances. This occurs in 10.2, 10.2.1, and 10.2.2.
• NIM102939 – Multiple stored cross-site scripting (XSS) vulnerabilities found. This occurs in ArcGIS Server 10.1, 10.1 SP1, 10.2, 10.2.1, and 10.2.2.
• NIM094659 – After resolving attribute level conflicts with the Reconcile Version tool, users continue to receive the following warning message when running the Synchronize Changes tool, “Warning: Replica synchronize was successful, but conflicts were detected while applying changes from the relative replica.”
• NIM087257 – Users in a lot of groups cannot authenticate when using HTTPS, Active Directory, and web tier authentication together.