Do you remember my post about backdoor in default installation and doubts about SDLC in EMC? This sad history has a sequel! About one week ago my skypemate asked me about whether I experienced difficulties with installing latest patchsets on Content Server, today I found post on ECN with similar problem:
It turns out, that EMC tried to fix security issue described in my post about backdoor in default installation and, as expected, got failed – latest Content Server patches contain special XSLT intended to remove mapping for DmSampleServlet from web.xml:
<xsl:stylesheet version="1.0" exclude-result-prefixes="xs" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xsl:template match="@* | node()"> <xsl:copy> <xsl:apply-templates select="@* | node()"/> </xsl:copy> </xsl:template> <xsl:template match="//servlet[servlet-name = 'DmSampleServlet']"/> <xsl:template match="//servlet-mapping[servlet-name = 'DmSampleServlet']"/> </xsl:stylesheet>
I seems that EMC thinks customers who are not going to upgrade their pre-D7 installations do not deserve security fix.