Release Notes for Version 6.0.2
These release notes cover the following topics:
This Pivotal Web Server release includes the following new features and changes:
- Apache mod_ftp 0.9.6.4
- OpenSSL 1.0.1j
|CVE-2014-3513||High||A flaw in the DTLS SRTP extension parsing code allows an attacker who sends a carefully crafted handshake message to cause OpenSSL to fail to free up to 64k of memory, causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected.|
|CVE-2014-3567||Moderate||When an OpenSSL SSL/TLS/DTLS server receives a session ticket, the integrity of that ticket is verified. If a session ticket integrity check fails, OpenSSL will fail to free memory, causing a memory leak. By sending a large number of invalid session tickets, an attacker could exploit this issue in a Denial Of Service attack.|
|SSL 3.0 Fallback protection||Moderate||OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.
Some client applications (such as browsers) reconnect using a downgraded protocol to work around an interoperability bugs in older servers. This could be exploited by an active man-in-the-middle attack to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses, including POODLE (CVE-2014-3566).
The following issues have been identified in this release of Pivotal Web Server. Where possible, a workaround is also provided.
The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of Pivotal Web Server.
|Issue Number||Description||Found In||Fixed In|
|VWS-17||The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the
Workaround: Create the symbolic link yourself. See [Windows: Install Pivotal Web Server from a Self-Extracting ZIP File](http://webserver.docs.pivotal.io/index.html?q=/topics/install.html) for details.