Release Notes for Version 5.5.4

Note: This product has been discontinued. Technical Guidance ends July 15th 2018.

What’s in the Release Notes

These release notes cover the following topics:

Important Support Lifecycle Announcements

All users must note the End of Availability of the Pivotal Web Server product, effective March 1st, 2015. General Support for the Pivotal Web Server releases 5.5 and 6.2 ended on July 15, 2017. Users of previous vFabric Web Server and Pivotal Web Server releases are strongly encouraged to update to the final 6.2.4 release for security fixes.

Note that July 15, 2017 also marked the End of General Support for open source Apache HTTP Server version 2.2. No further 2.2 series releases will occur. All customers seeking ongoing support for open source Apache HTTP Server must migrate to version 2.4 to receive General Support. Only Technical Guidance is available for version 2.2 and will cease on July 15, 2018.

Refer to https://d1fto35gcfffzn.cloudfront.net/support/PivotalLifecycleMatrix.pdf for Pivotal product lifecycle policy and details.

Scope of Changes in Pivotal Web Server Release 5.5.4

Release 5.5.4 was the final bugfix and security release for the subcomponents of the Pivotal Web Server.

SSL Encryption and mod_ssl Configuration

This release includes the updated default configuration and hardening recommendations originally shipped with Pivotal Web Server release 5.5.3. The default extra/httpd-ssl.conf configuration improves the robustness of SSL/TLS cryptography. Users should review existing instances to ensure that mod_ssl features including SSLProtocol and SSLCipherList meet or exceed modern guidance. It may be especially helpful to use the instance’s certificate expiration dates to trigger a periodic review of these configurations, as guidance continues to evolve as end-users update their browsers and other clients to more modern TLS capabilities.

This release includes a modification to the default certificate creation in the ./newserver instance creation utility. This tool will now identify the certificate with a SHA256 hash (rather than SHA1) and will now encrypt a copy of the certificate using AES256 (rather than DES).

Custom Module Deployment

The previous 5.4.x release -devel- packages for building add-on modules have been streamlined in 5.5.0 and later to flatten the development package build/ and include/ trees, avoiding many extraneous build-1/, apr-1/ and libxml2/ subdirectory structures. Custom module build makefiles may need to be adjusted accordingly to build against the new -devel- package structure. Module builds that rely upon apxs, {component}-config scripts or pkginfo should not be affected.

Update to mod_bmx

This package includes a new update of the mod_bmx modules. Users are cautioned to purge old bmx data collection files, bmx_vhost.db.dir and bmx_vhost.db.pag in each server instance logs/ directories. By default, the new mod_bmx_vhost will name these files as bmx_vhost1.db.* in order to prevent such collisions, but any user overriding the BMXVHostDBMFilename must rename or purge their vhost summary collection files after upgrading to PWS 5.5.4, prior to restarting the server instances. Unintelligible summaries and even server segfaults may result from using the old format vhost summary files.

vFabric Hyperic Monitoring

Since the release of 5.5.0, the default instance leaves the mod_bmx modules not-loaded and commented out. There is a performance impact, specifically in collecting the mod_bmx_vhost summaries, and these modules should only be loaded if this data is queried. Users requiring bmx monitoring, such as for the Web Server plug-in to Hyperic, may install new instances using one of three methods:

  1. Use two additional –subst flags to override the default, and load mod_bmx modules for monitoring at initial startup:

    ./newserver    --subst "#LoadModule bmx=LoadModule bmx" \
                            --subst "#Include conf/extra/httpd-info=Include conf/extra/httpd-info" [...]
    
  2. To enable mod_bmx for all new instances, uncomment these lines in the deployed product httpd-2.2/_instance/conf/httpd.conf template file, prior to invoking ./newserver.

  3. Simply modify each desired instance’s {instance}/conf/httpd.conf file after invoking ./newserver to uncomment these lines, prior to starting the server instance.

Pivotal Web Server 5.5.4 Components Updated

The following components were updated since the 5.5.0 release:

  • Apache HTTP Server 2.2.34
  • Apache Tomcat mod_jk connector 1.2.42
  • Expat 2.2.1
  • OpenSSL 1.0.1u
  • PCRE 8.41
  • zlib 1.2.11

Pivotal Web Server 5.5.4 CVEs Addressed

Apache HTTP Web Server

The following vulnerabilites are addressed since the previous Pivotal Web Server 5.5.3 release:

  • CVE-2017-9788 modauthdigest: Uninitialized memory reflection
  • CVE-2017-7679 mod_mime: one byte overread by malicious response headers
  • CVE-2017-7668 core: unbounded token list parsing
  • CVE-2017-3169 mod_ssl: NULL pointer dereference by third-party modules
  • CVE-2017-3167 auth: authentication bypass by third-party modules

Refer to https://httpd.apache.org/security/vulnerabilities_22.html for all security vulnerabilities addressed since release 2.2.31, shipped with Pivotal Web Server 5.5.0.

Apache Tomcat mod_jk Connector

No new vulnerabilites are addressed since the previous Pivotal Web Server 5.5.3 release.

Refer to https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html for all security vulnerabilities addressed since release 1.2.40, shipped with Pivotal Web Server 5.5.0.

Expat Library

The following vulnerabilites are addressed since the previous Pivotal Web Server 5.5.3 release:

  • CVE-2017-9233: External entity infinite loop DoS
  • CVE-2016-9063: Detect integer overflow
  • CVE-2016-5300: Additional enhancements for higher quality entropy

Refer to https://sourceforge.net/p/expat/code_git/ci/R_2_2_1/tree/expat/Changes for all security vulnerabilities addressed since release 2.1.1, shipped with Pivotal Web Server 5.5.0.

OpenSSL Library

The following vulnerabilites are addressed since the previous Pivotal Web Server 5.5.3 release, as patches to OpenSSL 1.0.1u (final):

  • CVE-2017-3732: carry propagating bug in x86_64 Montgomery squaring
  • CVE-2017-3731: out-of-bounds read in truncated RC4-MD5 packet

CVE-2016-7055 does not appear to impact 1.0.1u.

Refer to https://www.openssl.org/news/vulnerabilities.html for all security vulnerabilities addressed since release 1.0.1p, shipped with Pivotal Web Server 5.5.0.

PCRE Library

The following vulnerabilites are addressed since the previous Pivotal Web Server 5.5.3 release:

  • CVE-2017-7246 Stack-based buffer overflow in pcre32copysubstring
  • CVE-2017-7245 Stack-based buffer overflow in pcre32copysubstring
  • CVE-2017-6004 out-of-bounds read in compilebracketmatchingpath

Refer to http://www.pcre.org/original/changelog.txt for all security vulnerabilities addressed since release 8.37, shipped with Pivotal Web Server 5.5.0.

zlib Library

The following vulnerabilites are addressed since the previous Pivotal Web Server 5.5.3 release:

CVE-2016-9843 crc32_big function big-endian CRC calculation defect CVE-2016-9842 inflateMark function left shifts of negative integers defect CVE-2016-9841 improper pointer arithmetic in inffast.c CVE-2016-9840 improper pointer arithmetic in inftrees.c

Refer to http://www.zlib.net/ChangeLog.txt for all security vulnerabilities addressed since release 1.2.8, shipped with Pivotal Web Server 5.5.0.