Release Notes for Version 6.0.0

What’s in the Release Notes

These release notes cover the following topics:

What’s New in Pivotal Web Server 6.0.0

This Pivotal Web Server release includes the following new features and changes:

New Packages

  • Libxml2
  • Lua 5.2.2

Updated Packages

  • Apache HTTP Server 2.4.9
  • Apache mod_jk 1.2.40
  • Apache Tomcat Native 1.1.30
  • OpenSSL 1.0.1h

Removed Packages

  • cURL

Security vulnerabilities fixed in Pivotal Web Server 6.0.0

Table 1. Security vulnerabilities fixed in Pivotal Web Server 6.0.0
Issue Number Severity Description
CVE-2014-0224 Important

An attacker using a carefully-crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

CVE-2014-3470 Moderate OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.

Known Issues in Pivotal Web Server 6.0.0

The following issues have been identified in this release of Pivotal Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of Pivotal Web Server.

Table 2. Known Issues
Issue Number Description Found In Fixed In
VWS-17 The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the pivotal-web-server/httpd-2.2 symbolic link.

Workaround: Create the symbolic link yourself. See [Windows: Install Pivotal Web Server from a Self-Extracting ZIP File]( for details.