Release Notes for Version 6.0.2

What’s in the Release Notes

These release notes cover the following topics:

What’s New in Pivotal Web Server 6.0.2

This Pivotal Web Server release includes the following new features and changes:

Updated Packages

  • Apache mod_ftp 0.9.6.4
  • OpenSSL 1.0.1j

Security vulnerabilities fixed in Pivotal Web Server 6.0.2

Table 1. Security vulnerabilities fixed in Pivotal Web Server 6.0.2
Issue Number Severity Description
CVE-2014-3513 High A flaw in the DTLS SRTP extension parsing code allows an attacker who sends a carefully crafted handshake message to cause OpenSSL to fail to free up to 64k of memory, causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected.
CVE-2014-3567 Moderate When an OpenSSL SSL/TLS/DTLS server receives a session ticket, the integrity of that ticket is verified. If a session ticket integrity check fails, OpenSSL will fail to free memory, causing a memory leak. By sending a large number of invalid session tickets, an attacker could exploit this issue in a Denial Of Service attack.
SSL 3.0 Fallback protection Moderate OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.

Some client applications (such as browsers) reconnect using a downgraded protocol to work around an interoperability bugs in older servers. This could be exploited by an active man-in-the-middle attack to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses, including POODLE (CVE-2014-3566).

Known Issues in Pivotal Web Server 6.0.2

The following issues have been identified in this release of Pivotal Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of Pivotal Web Server.

Table 2. Known Issues
Issue Number Description Found In Fixed In
VWS-17 The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the pivotal-web-server/httpd-2.2 symbolic link.

Workaround: Create the symbolic link yourself. See [Windows: Install Pivotal Web Server from a Self-Extracting ZIP File](http://webserver.docs.pivotal.io/index.html?q=/topics/install.html) for details.

5.0.0