Legacy status proxy - providing data feed compatibility to passive clients not migrated to JSON yet

[Andreas Fuchs]

Thanks for keeping up the good work! I still use the tool on a daily base to run Qutescoop. Would it be possible to have an optional update check? This would wave any privacy concerns as participation would be voluntary. I think it would be a great addition. Unless adding such a feature would require a huge amount of work and time to be invested, of course!

[Daniel Neugebauer]

I already had an update check on mind for the next feature update. Concerns over DSGVO/GDPR mean it probably cannot be activated by default (would be nice but I will have to check if/how that's legally safe for me to do). A general risk of not being able to directly notify users about the need for a security update was always present but I expected users to more or less frequently check for new releases to update the included VatSpy database anyway and all probable attack vectors I thought of in the past also would not have required such immediate action. In addition to a general update check I will probably also include a killswitch for the unlikely event that another highly critical security issue pops up in the future which (as in this case) requires to discontinue use of affected versions immediately.

The current security issue really is the worst-case scenario. Exploitation does not depend on any specific setup or configuration. All users are affected, no matter how they configured and how secure they may have kept the proxy.

[Daniel Neugebauer]

Release 0.95.6 now understands the incomplete timestamps present for some pilots since the Velocity update (time zone is missing, the proxy now simply assumes UTC was meant). This fixes pilots not correctly being seen online by status clients (although QuteScoop still showed those pilots on the map).

Log4j has been updated again to the latest release, fixing 3 more security vulnerabilities which did not affect the proxy server (unless you would have changed logging configurations in weird ways).

Please ignore the message regarding FIR ZWAK which is being caused by a broken reference in Vat-Spy data and has already been reported upstream. This will probably be fixed with the next AIRAC cycle.

Important announcement to all QuteScoop users:

QuteScoop just released a new version which adds native support for JSON v3 and no longer requires the proxy server as a workaround. Please try that new release as it will probably make your life a little bit easier again. :)

If you no longer need the proxy server you can simply delete the .jar and .properties file to "uninstall" it.

Although a large part of the proxy server's user base was probably needing it for QuteScoop the proxy server will be continued to be supported. For example, QuteScoop does not have a Mac release yet (which hopefully should not take long; testers are needed) and some people also still prefer to use other legacy viewers like ServInfo. In the future, the proxy may also become useful again if VATSIM should stop providing status information in the current (or future) data formats while some status viewers are stuck with those formats (i.e. a similar situation we had last year with JSON v3). The only requirement to make that work is that status viewers still allow users to enter an alternate download URL for VATSIM data.