
      HP Secure Web Server Version 1.3-1
      for OpenVMS Alpha [based on Apache]

      Update 02

      Release Notes

      November 06, 2006

      Based on Apache V1.3.26 and mod_ssl 2.8.10

      ----------------------------------------------

      Problems Corrected
      ------------------

      This update contains software fixes for the security vulnerabilities
      detailed below as well as software fixes for general problems.

      1. Apache server process hangs when using PHP_OCI8 extension with
         Oracle OCI API.

         The PHP_OCI extension may be used with Oracle's OCI API library.

         Oracle's OCI shareable image dynamically activates POSIX threads
         within the Apache server process. This may cause the server
         process to hang in certain circumstances, in particular, when
         the Apache timeout expires on a slow-drip client.

      2. Fix for CVE-2006-3918 affecting Apache HTTP server 1.3. This problem
         occurs because the server does not sanitize the Expect header from a
         HTTP request when it is reflected back in an error message, which 
         might allow cross-site scripting (XSS) style attacks using web client
         components that can send arbitrary headers in requests.


      Known Problems and Restrictions
      -------------------------------

      1. APACHE$CONFIG FLUSH and NEW commands can corrupt access and error
         log files

         Issuing APACHE$CONFIG FLUSH or NEW commands while Apache servers
         are busy handling requests may corrupt the access and error log
         files by redirecting output from one to the other or redirecting
         script output to the error log.

         Hewlett Packard recommends that these commands not be used until
         a fix is available.

         This will be corrected in a future release.

      2. Microsoft Internet Explorer browsers may display a "Page cannot be
         displayed" message following an SSL (HTTPS) connection that has
         been disconnected due to a keepalive timeout. This can be avoided
         by adding one of the following directive to your mod_ssl.conf file:

         SetEnvIf User-Agent ".*MSIE.*" nokeepalive
         SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown

      Installation instructions
      -------------------------

      To install the kit, do the following:

        $ @SYS$STARTUP:APACHE$SHUTDOWN
        $ PRODUCT INSTALL CSWS131_UPDATE
        $ @SYS$STARTUP:APACHE$STARTUP

      ----------------------------------------------

      Complete documentation for SWS, including the Installation 
      and Configuration Guide, SSL User Guide, and Release Notes, 
      is available in HTML, PDF and PostScript format from:

      http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html