HP Secure Web Server Version 2.1-1 for OpenVMS Integrity [based on Apache] Update 02 Release Notes April 2008 Based on Apache V2.0.52 -------------------------------------- Complete documentation for CSWS, including the Installation and Configuration Guide, SSL User Guide, and Release Notes, is available in HTML and PDF format from: http://h71000.www7.hp.com/openvms/products/ips/apache/csws_doc.html Problems Corrected: ------------------ This update contains software fixes for the security vulnerabilities detailed below as well as software fixes for general problems. 1. CVE-2006-5752: Cross-site scripting (XSS) vulnerability in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 2. CVE-2007-5000: Cross-site scripting (XSS) vulnerability in the mod_imap module in the Apache HTTP Server. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 3. CVE-2007-6388: Cross-site scripting (XSS) vulnerability in the mod_status module in the Apache HTTP when the server-status page is enabled. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388 4. CVE-2008-0005: The mod_proxy_ftp module in Apache does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005 5. CVE-2006-3747: Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache when RewriteEngine is enabled. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747 6. CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352 7. CVE-2005-2088: The Apache HTTP server when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088 8. CVE-2006-3918 - The Apache HTTP Server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918 9. A Perfomance problem occurred in CSWS 2.1-1 because APACHE$SWSxxxx processes were consuming a lot of CPU while synchronising on APACHE$WWW processes. The APACHE$SWSxxxx processes were waiting for the APACHE$WWW processes by checking a logical APACHE$DCL_SYNC_XXXXXXXX in a tight loop without a pause. 10. Mixed case password authentication is now supported with mod_auth_openvms. 11. Mod_auth_openvms was not properly recording the date and time stamp for last non-interactive logins. 12. Chunked transfer-encoding was incorrectly sent to HTTP/1.0 clients for variable-length record format files. Variable-length format files served to HTTP/1.0 clients will not be sent with chunked transfer-encoding now. Instead, the Content-Length header will indicate the correct file content size (ignoring record format meta data). 13. Zero-length files caused server processes to become CPU-bound and hang. Installation instructions: ------------------------- To install the kit, type the following: $ @SYS$STARTUP:APACHE$SHUTDOWN $ PRODUCT INSTALL CSWS211_UPDATE $ @SYS$STARTUP:APACHE$STARTUP -----------------------------------------------