Release Notes for Version 6.0.0
These release notes cover the following topics:
This Pivotal Web Server release includes the following new features and changes:
- Libxml2 18.104.22.168
- Lua 5.2.2
- Apache HTTP Server 2.4.9
- Apache mod_jk 1.2.40
- Apache Tomcat Native 1.1.30
- OpenSSL 1.0.1h
An attacker using a carefully-crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
|CVE-2014-3470||Moderate||OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.|
The following issues have been identified in this release of Pivotal Web Server. Where possible, a workaround is also provided.
The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of Pivotal Web Server.
|Issue Number||Description||Found In||Fixed In|
|VWS-17||The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the
Workaround: Create the symbolic link yourself. See [Windows: Install Pivotal Web Server from a Self-Extracting ZIP File](http://webserver.docs.pivotal.io/index.html?q=/topics/install.html) for details.