HP Secure Web Server V2.0 for OpenVMS
 
      Update 01

      Release Notes

      September 10, 2004

      Based on Apache V2.0.47
      -----------------------

      This is a security update kit for Secure Web Server V2.0 for
      OpenVMS.

      Documentation for Secure Web Server, including the Installation
      and Configuration Guide, SSL User Guide, and Release Notes,
      is available in HTML, PDF and PostScript format from:

      http://www.hp.com/products/openvms/securewebserver

      Problems Corrected
      ------------------

      This update contains software fixes for the security vulnerabilities
      detailed below.

      1. CAN-2004-0488: ssl_uuencode__binary() buffer-overflow.

         For additional information, see:

         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0488

      2. CAN-2004-0786: HTTP header parsing buffer-overflow.

         For additional information, see:

         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0786

      Known Problems and Restrictions
      -------------------------------

      1. Microsoft Internet Explorer browsers may display a "Page cannot be
         displayed" message following an SSL (HTTPS) connection that has
         been disconnected due to a keepalive timeout. This can be avoided
         by adding one of the following directive to your mod_ssl.conf file:

         SetEnvIf User-Agent ".*MSIE.*" nokeepalive
         SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown

      Installation instructions
      -------------------------

      To install the kit, do the following:

        $ @SYS$STARTUP:APACHE$SHUTDOWN
        $ PRODUCT INSTALL CSWS20_UPDATE
        $ @SYS$STARTUP:APACHE$STARTUP