Release Notes for Version 5.5.0

Note: This product has been discontinued. Technical Guidance ends July 15th 2018.

What’s in the Release Notes

These release notes cover the following topics:

End of Availability Notice

Note that the End of Availability of the Pivotal Web Server product is effective March 1st, 2015. General Support for the Pivotal Web Server releases 5.5.x and 6.1.x ends on July 15, 2017. Users of previous vFabric Web Server and Pivotal Web Server releases are strongly encouraged to update to these releases promptly. More specific guidance will be forthcoming in the form of whitepapers, addressing how to build httpd 2.4 from source code, including guidance on building or obtaining the subcomponents of Pivotal Web Server.

Note that July 15, 2017 also marks the End of General Support for open source Apache HTTP Server version 2.2. All customers seeking ongoing support for Apache HTTP server must migrate to version 2.4 by this date for General Support. Only Technical Guidance will be available for version 2.2 after July 15, 2017. Technical Guidance for Apache HTTP Server version 2.2 will cease on July 15, 2018.

What’s New in Pivotal Web Server 5.5.0

This Pivotal Web Server release includes the following new features and changes:

Updated Packages

  • Apache httpd Server 2.2.31
  • Apache Tomcat tcnative connector 1.2.33
  • PCRE 8.37 (Including patch for CVE-2015-3210)
  • ZLib 1.2.8
  • Expat 2.1.0 (Including patch for CVE-2015-1283)
  • libiconv 1.11
  • OpenSSL 1.0.1p
  • OpenSSL FIPS 2.0.9
  • OpenLDAP 2.3.43
  • Apache APR 1.5.2
  • Apache APR-util 1.5.4
  • Apache httpd mod_fcgid 2.3.9
  • Apache Tomcat mod_jk 1.2.40
  • Apache mod_ftp 0.9.6
  • mod_bmx 0.9.4

Resolved Issues

This release of Pivotal Web Server addresses the following CVEs:

vFabric Hyperic Monitoring

This package includes the mod_bmx modules. However, in this version 6.1.0 release by default the modules are commented out and are not loaded. If you require bmx monitoring, such as for the Web Server plug-in to Hyperic, install a new instance with two additional --subst flags to override the default and load mod_bmx modules for monitoring at initial startup. For example:

./newserver --subst "#LoadModule bmx=LoadModule bmx" \ --subst "#Include conf/extra/httpd-info=Include conf/extra/httpd-info" [...]

The alternative for mod_bmx users is to uncomment the above lines in the deployed httpd-2.2/_instance/conf/httpd.conf default template prior to invoking newserver, or to modify the deployed {instance}/conf/httpd.conf file after invoking newserver but prior to initially starting the server.

Upgrade Notes

The Pivotal Web Server 6.1.0 and maintenance 5.5.0 releases provide the opportunity to update a number of subcomponents which also introduce a possibility of incompatibility issues for our users who have extended the product with their own modules which consume these subcomponents. We encourage users who have compiled their own or third-party modules (apart from modules distributed with Pivotal Web Server) to carefully review their modules’ dependencies, and test their functionality before moving these into production on 5.5 or 6.1. Most modules with no direct dependencies on these subcomponents should remain compatible between modules built for PWS 5.x and this 5.5.0 release, and compatible between modules built for PWS 6.0 and this 6.1.0 release. Note that modules compiled for PWS 5.x are not binary compatible with PWS 6.x releases, these modules must be recompiled, and in some cases, ported to httpd 2.4-specific APIs.

This release introduces updated default configuration and hardening recommendations, particularly in the default extra/httpd-ssl.conf configuration to improve the robustness of SSL/TLS cryptography. Users should review existing instances to ensure that mod_ssl features including SSLProtocol and SSLCipherList meet modern guidance. It may be especially helpful to use certificate expiration dates to trigger a periodic review of these configurations, as the guidance continues to evolve as end-users update their browsers and other clients to more modern TLS capabilities.

For users of the -devel- packages, these packages have been streamlined to flatten the development package build/ and include/ trees, avoiding extraneous build-1/, apr-1/ and libxml2/ subdirectory structures. User’s custom module build makefiles may need to be adjusted accordingly to build against the new -devel- package structure. Module builds that rely upon apxs, {component}-config scripts or pkginfo should not be affected.

Newly introduced scripts, for bash or sh, and httpdenv.ps1 for PowerShell, have been added in the product’s httpd-2.x/bin/ directory as well as in all newly created instance/bin/ directories. The instance-specific flavor adds the instance-specific bin/ to the user’s path, while both varieties will configure the user’s binary path, library path, man page path and OpenSSL configuration path to consume Pivotal Web Server specific binaries from the command line.

Known Issues in Pivotal Web Server 5.5.0

The following issues have been identified in this release of Pivotal Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of Pivotal Web Server.

Table 1. Known Issues
Issue Number Description Found In Fixed In
VWS-17 The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the pivotal-web-server/httpd-2.2 symbolic link.

Workaround: Create the symbolic link yourself. See Windows: Install Pivotal Web Server from a Self-Extracting ZIP File for details.