Compaq Secure Web Server Version 1.2 for OpenVMS Alpha [based on Apache] Update 08 Release Notes August 31, 2004 Based on Apache V1.3.20 and mod_ssl 2.8.4 ---------------------------------------------- Problems Corrected ------------------ This update contains software fixes for the security vulnerabilities detailed below as well as software fixes for general problems. 1. mod_ssl buffer overflow mod_ssl (www.modssl.org) is a commonly used Apache module that provides strong cryptography for the Apache web server. The module utilizes OpenSSL (formerly SSLeay) for the SSL implementation. modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. See http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html for more details. 2. Privileged routine access The APACHE$PLV_ENABLE_APACHE$WWW logical name controls access to a small number of privileged routines with the APACHE$PRIVILEGED.EXE_ALPHA image. In certain situations, it is possible for a process running under the APACHE$WWW username to access these routines after the system manager has disabled them. (By default, these routines are enabled.) 3. FakeBasicAuth option does not work with directory indexing When using SSLOptions +FakeBasicAuth with certificate-based client authentication, directory index operations fail with a "Forbidden" error. Access to explicit URLs within the directory container succeed. 4. Chunking buffer overflow (CERT Advisory CA-2002-17) Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines that deal with requests encoded using chunked encoding. This bug can be triggered remotely, and this functionality is enabled by default. See http://httpd.apache.org/info/security_bulletin_20020620.txt for more details. 5. mod_ssl handshake timeout SSL (HTTPS) connections do not timeout during the SSL handshake phase causing SSL connections to remain open until the client closes the connection or the server is restarted. This can result in denial-of-service when one or more clients open multiple connections to the server that reach the MaxClients limit. This problem is corrected. The timeout interval defaults to 300 seconds (5 minutes) and is adjustable using the Timeout directive in the httpd.conf file. 6. mod_ssl keepalive timeout causes server process termination SSL (HTTPS) connections that receive a keepalive timeout will cause the Apache server processes to terminate and restart, causing performance degradation. The following entry appears in the error log file: [Thu Dec 12 16:34:28 2002] [notice] child pid 224042c5 exit signal Bad system call (12, 0x1000000C) This problem is corrected. As a result of this fix, the SSL engine log file will contain an I/O error entry for each keepalive timeout due to the cancellation of a pending read on the socket. 7. OpenSSL vulnerabilities: buffer-overflow and timing attacks (CERT advisory CA-2002-23, CVE advisories CAN-2003-0078, CAN-2003-0147, CAN-2003-0131) This problem is corrected. The OpenSSL library included in this kit contains OpenSSL version 0.9.6b with the above patches. For additional information, see: http://www.kb.cert.org/vuls/id/102795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0131 8. Access violation during CGI script execution Under certain conditions, CGI scripts may encounter an access violation exception as seen in the error log: [Tue Jan 28 00:32:23 2003] [error] [client x.x.x.x] %SYSTEM-FACCVIO, access violation, reason mask=00, virtual address=000000005647EE56, PC=00000000000FC678, PS=0000001B This problem is corrected. 9. OpenSSL vulnerabilities: ASN.1 vulnerbailities (CERT advisory CA-2003-26, CVE advisories CAN-2003-0543, CAN-2003-0544, CAN-2003-0545) This problem is corrected. The OpenSSL library included in this kit contains OpenSSL version 0.9.6g with the above patches. For additional information, see: http://www.openssl.org/news/secadv_20030930.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 http://www.cert.org/advisories/CA-2003-26.html 10. mod_ssl vulnerabilities: ssl_uuencode__binary() buffer-overflow and ssl_log() formatting error (CVE advisories CAN-2004-0488, CAN-2004-0700) Patches have been applied to correct these problems. For additional information, see: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0488 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0700 Known Problems and Restrictions ------------------------------- 1. APACHE$CONFIG FLUSH and NEW commands can corrupt access and error log files Issuing APACHE$CONFIG FLUSH or NEW commands while Apache servers are busy handling requests may corrupt the access and error log files by redirecting output from one to the other or redirecting script output to the error log. Hewlett Packard recommends that these commands not be used until a fix is available. This will be corrected in a future release. 2. Microsoft Internet Explorer browsers may display a "Page cannot be displayed" message following an SSL (HTTPS) connection that has been disconnected due to a keepalive timeout. This can be avoided by adding one of the following directive to your mod_ssl.conf file: SetEnvIf User-Agent ".*MSIE.*" nokeepalive SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown Installation instructions ------------------------- To install the kit, do the following: $ @SYS$STARTUP:APACHE$SHUTDOWN $ PRODUCT INSTALL CSWS12_UPDATE $ @SYS$STARTUP:APACHE$STARTUP ---------------------------------------------- Complete documentation for CSWS, including the Installation and Configuration Guide, SSL User Guide, and Release Notes, is available in HTML, PDF and PostScript format from: http://h71000.www7.hp.com/openvms/products/ips/apache/csws_doc.html