CSWS_PHP V1.3 for HP Secure Web Server on OpenVMS Alpha

      Update 02

      Release Notes

      April 2008

      Based on PHP V4.3.10
      --------------------

      For more information about PHP, see http://www.php.net.

      For information about installing and configuring PHP with CSWS, see the
      CSWS_PHP Installation Guide and Release Notes at

      http://www.hp.com/products/openvms/php


      Problems Corrected
      ------------------

      This update contains software fixes for the security vulnerabilities
      detailed below as well as software fixes for general problems.

      1. CVE-2007-3378: Vulnerabilities in the session_save_path, ini_set,
         and error_log functions in PHP 4.3.10

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3378


      2. CVE-2007-2872: Multiple integer overflows in the chunk_split function
         in PHP 4.3.10

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872


      3. CVE-2007-2756: Vulnerability in the gdPngReadData function in the GD
         library (libgd)

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756


      4. CVE-2007-1001: Multiple integer overflows in the createwbmp and
         readwbmp functions in the GD library (libgd)

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001


      5. CVE-2007-0455: Buffer overflow in the gdImageStringFTEx function in
         the GD library (libgd)

         For additional information, see:

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455


      6. Channel leak problem in CSWS_PHP when the "DocumentRoot" directive in
         Apache's "httpd.conf" pointed to multiple locations. Each PHP request
         was leaking channels and the apache server reported  a "403 Forbidden"
         error after the limit was reached on the "CHANNELCNT" system parameter.


      7. https link redirection was failing in PHP scripts with the following
         messages.

         Warning: file_get_contents():php_stream_sock_ssl_activate_with_method:
         failed to create an SSL context

         Warning: file_get_contents: failed to open stream: Unable to activate
         SSL mode


      8. Enhance the PHP_GD extension

         In V1.3 of CSWS_PHP the PHP_GD extension was added, however,
         several graphics libraries were not included for use by that extension.

         This patch kit adds a much more complete PHP_GD extension for PHP
         with support for:

          GIF  - Graphics Interchange Format
          JPEG - Joint Photographic Experts Group
          PNG  - Portable Network Graphics
          WBMP - Wireless BitMap
          XBM  - X BitMap
          XPM  - X PixMap



      9. High performance arithmetic trap,-SYSTEM-F-HPARITH in PHP when using
         the is_numeric() function with a large number as the argument on
         OpenVMS Alpha.






      Installation instructions
      -------------------------

      To install the kit, do the following:

        $ @SYS$STARTUP:APACHE$SHUTDOWN
        $ PRODUCT INSTALL CSWS_PHP13_UPDATE
        $ @SYS$STARTUP:APACHE$STARTUP