HP Secure Web Server Version 2.1-1
      for OpenVMS Alpha [based on Apache]

      Update 02

      Release Notes

      April 2008

      Based on Apache V2.0.52

      --------------------------------------

      Complete documentation for CSWS, including the Installation
      and Configuration Guide, SSL User Guide, and Release Notes,
      is available in HTML and PDF format from:

      http://h71000.www7.hp.com/openvms/products/ips/apache/csws_doc.html



      Problems Corrected:
      ------------------

      This update contains software fixes for the security vulnerabilities
      detailed below as well as software fixes for general problems.

      1. CVE-2006-5752: Cross-site scripting (XSS) vulnerability in the mod_status module 
         in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public 
         server-status page is used.

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752

      
      2. CVE-2007-5000: Cross-site scripting (XSS) vulnerability in the mod_imap module 
         in the Apache HTTP Server.

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000


      3. CVE-2007-6388: Cross-site scripting (XSS) vulnerability in the mod_status module
         in the Apache HTTP when the server-status page is enabled.

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388


      4. CVE-2008-0005: The mod_proxy_ftp module in Apache does not define a charset, 
         which allows remote attackers to conduct cross-site scripting (XSS) attacks using 
         UTF-7 encoding. 

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005


      5. CVE-2006-3747: Off-by-one error in the ldap scheme handling in the Rewrite module 
         (mod_rewrite) in Apache when RewriteEngine is enabled.

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747


      6. CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of 
         Apache allows remote attackers to inject arbitrary web script or HTML via the Referer 
         when using image maps. 

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352


      7. CVE-2005-2088: The Apache HTTP server when acting as an HTTP proxy, allows remote 
         attackers to poison the web cache, bypass web application firewall protection, and 
         conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header 
         and a Content-Length header, which causes Apache to incorrectly handle and forward the 
         body of the request in a way that causes the receiving server to process it as a separate 
         HTTP request, aka "HTTP Request Smuggling." 

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088


      8. CVE-2006-3918 - The Apache HTTP Server does not sanitize the Expect header from an HTTP 
         request when it is reflected back in an error message, which might allow cross-site scripting 
         (XSS) style attacks using web client components that can send arbitrary headers in requests.

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918


      9. A Perfomance problem occurred in CSWS 2.1-1 because APACHE$SWSxxxx processes were consuming 
         a lot of CPU while synchronising on APACHE$WWW processes. The APACHE$SWSxxxx processes were 
         waiting for the APACHE$WWW processes by checking a logical  APACHE$DCL_SYNC_XXXXXXXX in a tight 
         loop without a pause.  	


      10. Mixed case password authentication is now supported with mod_auth_openvms.

 
      11. Mod_auth_openvms was not properly recording the date and time stamp for last non-interactive logins.


      12. Chunked transfer-encoding was incorrectly sent to HTTP/1.0 clients for variable-length record 
          format files.

          Variable-length format files served to HTTP/1.0 clients will not be sent with chunked 
          transfer-encoding now. Instead, the Content-Length header will indicate the correct file content 
          size (ignoring record format meta data).


      13. Zero-length files caused server processes to become CPU-bound and hang.



          

      Installation instructions:
      -------------------------

      To install the kit, type the following:

         $ @SYS$STARTUP:APACHE$SHUTDOWN
         $ PRODUCT INSTALL CSWS211_UPDATE
         $ @SYS$STARTUP:APACHE$STARTUP

      -----------------------------------------------