HP Secure Web Server Version 1.3-1 for OpenVMS Alpha [based on Apache] Update 03 Release Notes March 2010 Based on Apache V1.3.26 and mod_ssl 2.8.10 ---------------------------------------------- Problems Corrected ------------------ This update contains software fixes for the security vulnerabilities detailed below as well as software fixes for general problems. 1. Fix for CVE-2002-0839.The shared memory scoreboard in the HTTP daemon for Apache 1.3.26 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard. 2. Fix for CVE2002-0840.Cross-site scripting (XSS) vulnerability in the default error page of Apache 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present,allows remote attackers to execute script as other web page visitors via the Host: header. 3. Fix for CVE-2003-0542.Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache 1.3.26 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. 4. Fix for CVE-2004-0492.Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.26 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. 5. Fix for CVE-2010-0010.Integer overflow in the ap_proxy_send_fb function in proxy /proxy_util.c in mod_proxy in the Apache HTTP Server 1.3.26 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. 6. Fix for CVE-2006-3747.Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 when RewriteEngine is enabled,allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. 7. Fix for CVE-2005-3352.Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache 1.3 allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. 8. Fix for CVE-2005-3357.mod_ssl in Apache 1.3, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. 9. Fix for CVE-2007-6388.Cross-site scripting (XSS) vulnerability in mod_status in the Apache 1.3, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 10.Fix for CVE-2007-5000.Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache 1.3 and the (2) mod_imagemap module in the Apache1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 11.Fix for CVE-2008-0005.mod_proxy_ftp in Apache 1.3 does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. 12.Fix for CVE-2005-2491.Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. 13.Fix for CVE-2006-2937.OpenSSL 0.9.7d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. 14.Fix for CVE-2006-2940.OpenSSL 0.9.7d version allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. 15.Fix for CVE-2006-3738.Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7d has unspecified impact and remote attack vectors involving a long list of ciphers. 16.Fix for CVE-2006-4343.The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7d allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. 17.Fix for CVE-2006-4339.OpenSSL 0.9.7d when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. 18.Apache server process hangs when using PHP_OCI8 extension with Oracle OCI API. The PHP_OCI extension may be used with Oracle's OCI API library. Oracle's OCI shareable image dynamically activates POSIX threads within the Apache server process. This may cause the server process to hang in certain circumstances, in particular, when the Apache timeout expires on a slow-drip client. 19.Fix for CVE-2006-3918 affecting Apache HTTP server 1.3. This problem occurs because the server does not sanitize the Expect header from a HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests. Known Problems and Restrictions ------------------------------- 1. APACHE$CONFIG FLUSH and NEW commands can corrupt access and error log files Issuing APACHE$CONFIG FLUSH or NEW commands while Apache servers are busy handling requests may corrupt the access and error log files by redirecting output from one to the other or redirecting script output to the error log. Hewlett Packard recommends that these commands not be used until a fix is available. This will be corrected in a future release. 2. Microsoft Internet Explorer browsers may display a "Page cannot be displayed" message following an SSL (HTTPS) connection that has been disconnected due to a keepalive timeout. This can be avoided by adding one of the following directive to your mod_ssl.conf file: SetEnvIf User-Agent ".*MSIE.*" nokeepalive SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown Installation instructions ------------------------- To install the kit, perform the following: $ @SYS$STARTUP:APACHE$SHUTDOWN $ PRODUCT INSTALL CSWS131_UPDATE $ @SYS$STARTUP:APACHE$STARTUP ---------------------------------------------- Complete documentation for SWS, including the Installation and Configuration Guide, SSL User Guide, and Release Notes, is available in HTML, PDF and PostScript format from: http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html