From Zone-H.org:
Product: Symantec Clientless VPN Gateway 5.0 - Model 4400 Series
Copyright (c) 2004 Symantec Corporation August, 2004

Hotfix: SCVG5-20040806-00


This document contains the following information about the Symantec Clientless
VPN Gateway 5.0 - Model 4400 Series:

* Prerequisites
* Affected components
* Fix descriptions
* Known issues
* Installation instructions
* Uninstallation instructions

*******************************************************************************
Prerequisites:

The following hotfixes are included in and may be applied before the hotfix SCVG5-20040806-00:

SCVG5-20020326-00
SCVG5-20020510-00
SCVG5-20020513-00

*******************************************************************************
Affected components (not including superseded hotfixes):

Authentication
ActiveX (Windows) file browser
End user UI
HTML file browser
LCD
Management tool CLI
POP/IMAP/SMTP data proxy
Port forwarder
Security Gateway Management Interface (SGMI)
Web-based email
WebVPN

*******************************************************************************
Fix descriptions:

The descriptions are listed by component.

All components:
- Fixed 115 miscellaneous bugs.

Authentication:
- Added Windows 2003 Server support to the Windows Authentication Wizard.
- Fixed an issue where the "group test" feature of the Windows
Authentication Wizard did not work correctly.

ActiveX file browser:
- Fixed issue where file browser behaves incorrectly if empty values for
the username and password for a file share are used.
- Fixed issue where the file browser does not prompt for user credentials
for shares which allow both anonymous logins and user logins.
- Fixed various security vulnerabilities.

End user UI:
- Added foreign character support for SCVG portal page, including News.
- Fixed various XSS security vulnerabilities.
- Fixed security hole where user A can change user B's single signon
information (username and password included) through the end user UI.
- Disallowed browser password autocompletion feature for single-signon
login page.
- Fixed a problem with autostarted mapi://, thttp://, and thttps:// URLs.

HTML file browser:
- Fixed various security vulnerabilities.
- Internationalized the file browser.

LCD:
- Added option (7) that allows one to set the administrator password
without setting up networking details.
- Fixed issue where the factory reset feature did not clear the SCVG's
internal user database.

Management tool CLI:
- CLI quickstart command now skips networking setup questions that have
already been answered by previous LCD or quickstart sessions (previously,
running quickstart twice produced spurious error messages).
- Fixed problem that occurs for LDAP passwords longer than 8 characters
(also in the SGMI and end user UI).
- Fixed an issue where adding search domains, while using DHCP, did not
work (also in the SGMI).
- Added command (userdatabase clear) that clears the SCVG's internal user
database.
- Extended the "user show" command to allow an optional "user=" argument.
Use "user show user=User authserver=Server"
to check for the existence of the user "User" on authentication server
"Server".
- Extended the "group show" command to allow an optional "group=" argument.
Use "group show group=Group authserver=Server"
to check for the existence of the group "Group" on group server
"Server".

Port forwarder:
- Fixed mapi:// tunnel autostart issue.
- Fixed tunnel autostart not working on certain versions of Sun Java.
- Fixed problem where vpn:// tunnels fail if the SCVG is on the same subnet
as the client browser.

POP/IMAP/SMTP data proxy:
- Added SMTP support for the mail data proxy.
- The SGMI Mail screen allows the configuration of an SMTP proxy, in
addition to POP and IMAP.

Security Gateway Management Interface (SGMI):
- Added progress bar to the group import operation, and eliminated timeout
that may appear when importing a large number of groups.
- Added progress bar to the Windows authentication/group server setup
process.
- Added a warning message to the success message that appears when making a
new authentication role.
- Added a security warning to the success message that appears when an
access rule is added allowing TCP or UDP access to the SCVG's own
hostname.
- Fixed the misdisplaying of trusted domain usernames (e.g., DOMAIN\USER)
on the end user UI login screen.
- Fixed bug: If a Windows DC has the "Restricted Anonymous" option on, the
Windows Authentication Wizard does not use the sysadmin credentials, even
though it asks the sysadmin to enter them, and, as a result, the
group-only server does not work.
- Fixed bug where it is not possible to upload an LDIF with hundreds of
users.
- Fixed the misdisplaying in the role inheritance graph of certain
characters in role names.
- Fixed remote single-signon bug that occurs when a single-signon rule
contains spaces.

Web-based email:
- Internationalized and otherwise updated the builtin web-based email
application (accessed through mail:// URLs).

WebVPN:
- Added UTF-8 encoding support through the WebVPN, to support foreign
character sets in web sites.
- Reorganized WebVPN memory management so that RAM is returned to the
system at the end of WebVPN operations, without any speed sacrifices
compared to the old memory handling.
- Decreased WebVPN memory footprint.
- Added support for several non-standard JavaScript features (including
octal escapes) that are supported in modern browsers.
- Fixed HTML translation of "mailto:" links.
- Fixed RAM leak when translating JAR and certain ZIP files.

*******************************************************************************
Known issues:

- When using the Windows Authentication Wizard to use a Windows NT 4 domain,
the NT domain controller must have Service Pack 6 installed.
- When using the Windows Authentication Wizard to use a Windows 2000
domain controller, the domain controller must have Service Pack 4
installed.
- When using the Windows Authentication Wizard to access group information
from trusted domains, the Symantec Clientless VPN Gateway must be able
to resolve the trusted DCs' NetBIOS names to IP addresses. This can be
accomplished through broadcast, or by configuring WINS server(s) on the
Symantec Clientless VPN Gateway.
- File browser access of file shares on Windows 2003 servers is not
supported at this time.
- At this time, the Symantec Clientless VPN Gateway does not support changing
expired passwords when authenticating against a Windows 2003 domain
controller, when not joined to its domain.
- This hotfix is large and may take a long time to upload to the appliance,
depending on network performance.
- This hotfix is large and may take over a minute to install or uninstall,
especially on the 4420 model. Interrupting the installation or removal
process midway through the operation (step 7 in the Installation
instructions below) may place the appliance into an undefined state.
- In the Mozilla 1.5 browser with the popup blocking feature enabled,
SGMI logoff may not work correctly. The administrator may receive the
error message "An administrator is already logged on." when trying to log
on after such a malfunctioning logoff. This situation can be resolved by
typing "adminaccess weblogout" in the management CLI.
- The preceding issue may also occur with other popup blocking solutions.

*******************************************************************************
Installation instructions:

This patch provides fixes for the Symantec Clientless VPN Gateway 4400 Series.

1. Download the patch file to a location accessible from the Security Gateway
Management Interface (SGMI).
2. In the SGMI, under the Server tab, click Hotfix.
3. In the right pane of the SGMI, click Browse, and in the dialog box that
pops up, select the PKG*.tgz file, then click Open.
4. In the right pane of the SGMI, click Install.
5. Wait until the confirmation page appears in the right pane of the SGMI.
6. In the right pane of the SGMI, click Confirm.
7. Wait until a success message appears in the right pane of the SGMI.
This may take over a minute!
8. Click Reboot (next to the success message in the right pane of the SGMI).
9. Close the browser running the SGMI. You should be able to log on again once
the reboot process is completed.

NOTE: End users may have to manually clear the browser cache in order for
the WebVPN changes to go into effect.

*******************************************************************************
Uninstallation instructions:

1. In the SGMI, under the Server tab, click Hotfix.
2. In the right pane of the SGMI, click Remove Active Hotfix.
3. Wait until the confirmation page appears in the right pane of the SGMI.
4. In the right pane of the SGMI, click Confirm.
5. Wait until a success message appears in the right pane of the SGMI.
This may take over a minute!
6. Click Reboot (next to the success message in the right pane of the SGMI).
7. Close the browser running the SGMI. You should be able to log on again
once the reboot process is completed.

NOTE: End users may have to manually clear the browser cache in order for
the WebVPN changes to go into effect.
And of course, here's some more information.