INC-145033 · Issue 599480
ForgotPassword responses made consistent
Resolved in Pega Version 8.5.2
To prevent possible exposure of valid usernames, the ForgotPassword logic has been updated so that it will show the same messages and set of screens to both valid and invalid users if a lost password request is made.
INC-145694 · Issue 601294
Property check handling updated for Ajax requestor
Resolved in Pega Version 8.5.2
SECU0001 alerts were seen when submitting a case in the interaction portal. Logging indicated the errors were related to the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties which are included in an Ajax request when they exist in the DOM and the 'pyGeolocationTrackingIsEnabled' when rule is true. The error was traced to a condition where a new thread request results in an unexpected property check that encounters a clipboard which doesn't have any pages created for that thread. To resolve this, the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties have been added to an allow list to handle the unexpected properties check.
INC-146434 · Issue 602738
Accessibility added to Security Event Configuration headers
Resolved in Pega Version 8.5.2
Labels for the headers in the Security Event Configuration screen have been converted to dynamic layout headers so they will be detected by JAWS screen reader.
INC-146921 · Issue 601635
Cross-site scripting update for Dev Studio
Resolved in Pega Version 8.5.2
Cross Site Scripting (Cross-site scripting) protections have been added to Developer Studio.
INC-151253 · Issue 607624
Hash comparisons adjusted for upgraded sites
Resolved in Pega Version 8.5.2
Existing Pega Diagnostic Cloud SSO URLs were not working after upgrade. This was traced to the previous tenant hash (or AG hash) having padding characters like ‘(’ which are no longer used in higher versions. This caused the tenant hash comparison during the SAML login flow to fail. To resolve this, the system will not compare an incoming tenant hash (in relay state) with a current platform tenant hash, but instead will rely on the “/!” pattern to identify the tenant hash in the relay state.
INC-142831 · Issue 605475
Corrected Outlook web inline image handling
Resolved in Pega Version 8.3.6
Outlook web was not able to render inline images and instead added them as external attachments. Investigation showed inline images were not being rendered properly in Outlook web due to the disposition not being set. This has been corrected.
INC-143668 · Issue 617486
Performance improvements for Attachment Migration Utility
Resolved in Pega Version 8.3.6
The Attachment Migration Utility was showing a zero count for attachments in the Pega Database. This was traced to the underlying report definition that retrieves data for the Attachment Migration Utility timing out, and has been resolved by updating the activities to improve performance for applications having a large number of attachments without customization.
INC-143908 · Issue 606548
Data Page Save correct in batch mode
Resolved in Pega Version 8.3.6
After configuring a List type savable Data Page with save activity in Code-Pega-List, the save data page was triggered from utility of flow from the queue processor to handle queueing 10k data items and creating 10k work objects. When this was run, a field dpClassName was being changed by different threads in DataPageSaverImpl.java. This has been resolved by making the class DataPageSaverImpl.java stateless to ensure thread safety.
INC-144387 · Issue 605341
Support added for allow list for LaxRedirectStrategy
Resolved in Pega Version 8.3.6
When using Connect REST with POST to access a third-party service deployed on multiple nodes, the load balancer sometimes replied 302 with Location header. The ability to allow the REST connector to automatically follow these redirects even in the case of POST messages is supported by Apache http client via LaxRedirectStrategy, but REST Connectors need both rule and engine enhancements to allow for this. To support this use, an allow list has been implemted for hostnames. This will allow the connector to be configured to follow the LaxRedirectStrategy only when the hostname of the redirect location is in the allow list. The default will continue to block the redirect.
INC-144913 · Issue 607993
Handling added for unknown ProducerID exception
Resolved in Pega Version 8.3.6
An "UnknownProducerIdException" was seen in the PegaRULES and Kafka broker logs for Stream services. This exception is raised by the broker if it can not locate the producer metadata associated with the producerId in question. This could happen if, for example, the producer's records were deleted because their retention time had elapsed. Once the last records of the producerId are removed, the producer's metadata is removed from the broker and future attempts to append additional metadata will return this exception. To resolve this, a new producer will be used if the old one is unknown.