Compaq Secure Web Server Version 1.3 for OpenVMS Alpha [based on Apache] Update 06 Release Notes August 31, 2004 Based on Apache V1.3.26 and mod_ssl 2.8.10 ---------------------------------------------- Problems Corrected ------------------ This update contains software fixes for the security vulnerabilities detailed below as well as software fixes for general problems. 1. mod_ssl handshake timeout denial-of-service SSL (HTTPS) connections do not timeout during the SSL handshake phase causing SSL connections to remain open until the client closes the connection or the server is restarted. This can result in denial-of-service when one or more clients open multiple connections to the server that reach the MaxClients limit. This problem is corrected. The timeout interval defaults to 300 seconds (5 minutes) and is adjustable using the Timeout directive in the httpd.conf file. 2. mod_ssl keepalive timeout causes server process termination SSL (HTTPS) connections that receive a keepalive timeout will cause the Apache server processes to terminate and restart, causing performance degradation. The following entry appears in the error log file: [Thu Dec 12 16:34:28 2002] [notice] child pid 224042c5 exit signal Bad system call (12, 0x1000000C) This problem is corrected. As a result of this fix, the SSL engine log file will contain an I/O error entry for each keepalive timeout due to the cancellation of a pending read on the socket. 3. Cross-site scripting vulnerability in Apache default error page (CAN-2002-0840) This problem is corrected. For additional information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2002-0840 4. OpenSSL vulnerabilities: buffer-overflow and timing attacks (CERT advisory CA-2002-23, CVE advisories CAN-2003-0078, CAN-2003-0147, CAN-2003-0131)   This problem is corrected. The OpenSSL library included in this kit contains OpenSSL version 0.9.6b with the above patches. For additional information, see: http://www.kb.cert.org/vuls/id/102795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2003-0131 5. Problem with server-side "exec cmd" with .shtml files on alternate device with no [APACHE] directory Using an alternate device for .shtml files caused the following error when the .shtml file contained "exec cmd" statements: %DCL-E-OPENOUT, error opening :.DAT; as output -RMS-E-DNF, directory not found SYSTEM-W-NOSUCHFILE, no such file This problem is orrected. 6. Inability to specify process priority of APACHE server processes The startup procedure did not honor the UAF's priority number for the APACHE$WWW account. The process priority of Apache would by capped by the priority of the process starting Apache (usually SYSTEM). This problem is corrected. The priority value specified for the APACHE$WWW account in the SYSUAF.DAT file will be used to set the priority of the Apache server processes. 7. mod_auth_openvms does not allow the use of 'dynamic' rights identifiers It was not possible to use rights identifiers having the 'dynamic' attribute in a 'require group' directive. Dynamic attributes are now allowed. 8. Access violation during CGI script execution Under certain conditions, CGI scripts may encounter an access violation exception as seen in the error log: [Tue Jan 28 00:32:23 2003] [error] [client x.x.x.x] %SYSTEM-FACCVIO, access violation, reason mask=00, virtual address=000000005647EE56, PC=00000000000FC678, PS=0000001B This problem is corrected. 9. Server startup delay reading very large RIGHTSLIST.DAT During server startup, the initialization routine scans the RIGHTSLIST.DAT database looking for all UICs that are a member of the server's UIC group. For sites with a very large RIGHTSLIST.DAT database, this scan can delay startup for several minutes. The UIC group member lookup provides latent support for internal getgrnam() and getgrgid() C run-time calls. The scan can be disabled without adversely affecting server operation by defining the following logical name: Name Value --------------------------- ----- APACHE$IGNORE_GROUP_MEMBERS 1 The logical name can be defined system-wide prior to server startup or placed in APACHE$ROOT:[000000]LOGIN.COM. 10. OpenSSL vulnerabilities: ASN.1 vulnerbailities (CERT advisory CA-2003-26, CVE advisories CAN-2003-0543, CAN-2003-0544, CAN-2003-0545)   This problem is corrected. The OpenSSL library included in this kit contains OpenSSL version 0.9.6g with the above patches. For additional information, see: http://www.openssl.org/news/secadv_20030930.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 http://www.cert.org/advisories/CA-2003-26.html 11. External authentication accounts not used for basic authentication By default, mod_auth_openvms does not allow user accounts that use external authentication (EXTAUTH flag set in the SYSUAF record) to be used for basic authentication. This default can be over- ridden by defining the following, exec-mode logical name: Name Value --------------------------- ----- APACHE$MODAUTHVMS_EXTAUTH_USE_SYSUAF 1 The logical name must be defined system-wide prior to server startup. When this logical name is defined, mod_auth_openvms uses the password stored in the user's SYSUAF record for authentication instead of the external password. The SYSUAF password may be stale if the user has not logged into the system recently. 12. CGI script file lookups are case-sensitive outside of /cgi-bin/. When CGI scripts are located outside of the /cgi-bin/ directory, file lookups based on URL are case-sensitive, when they should be case-insensitive on OpenVMS (to be compatible with ODS-2). This problem is corrected. 10. mod_ssl vulnerabilities: ssl_uuencode__binary() buffer-overflow and ssl_log() formatting error (CVE advisories CAN-2004-0488, CAN-2004-0700) Patches have been applied to correct these problems. For additional information, see: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0488 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0700 Known Problems and Restrictions ------------------------------- 1. APACHE$CONFIG FLUSH and NEW commands can corrupt access and error log files Issuing APACHE$CONFIG FLUSH or NEW commands while Apache servers are busy handling requests may corrupt the access and error log files by redirecting output from one to the other or redirecting script output to the error log. Hewlett Packard recommends that these commands not be used until a fix is available. This will be corrected in a future release. 2. Microsoft Internet Explorer browsers may display a "Page cannot be displayed" message following an SSL (HTTPS) connection that has been disconnected due to a keepalive timeout. This can be avoided by adding one of the following directive to your mod_ssl.conf file: SetEnvIf User-Agent ".*MSIE.*" nokeepalive SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown Installation instructions ------------------------- To install the kit, do the following: $ @SYS$STARTUP:APACHE$SHUTDOWN $ PRODUCT INSTALL CSWS13_UPDATE $ @SYS$STARTUP:APACHE$STARTUP ---------------------------------------------- Complete documentation for CSWS, including the Installation and Configuration Guide, SSL User Guide, and Release Notes, is available in HTML, PDF and PostScript format from: http://h71000.www7.hp.com/openvms/products/ips/apache/csws_doc.html