VMware

vFabric Web Server 5.3 Release Notes

vFabric Web Server 5.3.4 | 06 MAY 2014
vFabric Web Server 5.3.3 | 07 JAN 2014
vFabric Web Server 5.3.2 | 19 NOV 2013
vFabric Web Server 5.3.1 | 06 AUG 2013
vFabric Web Server 5.3.0 | 24 APR 2013

Last Document Update: 13 NOV 2013

What's in the Release Notes

The release notes cover the following topics:

What's New in vFabric Web Server 5.3.4

This vFabric Web Server release includes the following changes:

  • Updated component and module versions: vFabric Web Server 5.3.4 updates the versions of the following components and modules:
    • Apache HTTP Server 2.2.27
    • OpenSSL 1.0.1g
  • Security vulnerabilities fixed:
    Issue Number Description
    CVE-2013-4353 mod_ssl crash

    Severity: Low

    A carefully crafted invalid TLS handshake could crash mod_proxy https:// requests within OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client, causing a limited denial of service. Fixed in OpenSSL 1.0.1f. Affected all previous Pivotal Web Server versions.
    CVE-2013-6438 mod_dav crash

    Severity: Moderate

    XML parsing code in the mod_dav module incorrectly calculates the end of the string when removing leading spaces and places a NULL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provider is mod_dav_svn. Fixed in Apache HTTP Server 2.2.27. Affected all previous Pivotal Web Server versions.
    CVE-2013-6449 mod_ssl TLS v1.2 crash

    Severity: Moderate

    A flaw in OpenSSL could cause an application using OpenSSL to crash when using TLS version 1.2, causing a limited denial of service. Fixed in OpenSSL 1.0.1f. Affected all previous Pivotal Web Server versions.
    CVE-2013-6450 openssl crash

    Severity: No impact

    A flaw in DTLS (Datagram Transport Layer Security) handling could cause an application using OpenSSL and DTLS to crash. The mod_ssl module does not support DTLS. Fixed in OpenSSL 1.0.1f.
    CVE-2014-0076 mod_ssl crash

    Severity: Low

    The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
    CVE-2014-0098 mod_log_config crash

    Severity: Low

    A flaw was found in the mod_log_config module when specifically configured to log cookie values. A remote attacker could send a malformed cookie header, causing a crash and limited denial of service. Fixed in Apache HTTP Server 2.2.27. Affected all previous Pivotal Web Server versions.
    CVE-2014-0160 openssl vulnerability

    Severity: Critical

    OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed." Fixed in OpenSSL 1.0.1g.

Note:

  • vFabric Web Server 5.3.4 is considered the final VMware-branded product release.
  • vFabric Web Server 5.3.4 includes all defect fixes provided in the vFabric 5.x OpenSSL 1.0.1g security patch. You need not apply that patch to this release.
  • Pivotal Web Server 5.4.0 includes all changes provided in vFabric Web Server 5.3.4, including additional fixes and enhancements.
  • Pivotal Web Server 5.4.0 supersedes ALL vFabric Web Server releases and should be adopted at your earliest convenience.

What's New in vFabric Web Server 5.3.3

This vFabric Web Server release includes minor bug fixes as well as the following changes:

  • Updated component and module versions: vFabric Web Server 5.3.3 updates the versions of the following components and modules:
    • Apache HTTP Server 2.2.26, with additional updates:
      • Introduced mod_proxy_balancer support for a Drain status. The support may be initially configured for proxy balancer-member given a STATUS=N and may be toggled through the balancer-manager application. Balancer members in a Drain state are given requests already tied by session to that backend server, but will not be assigned requests requiring new sessions or requests not bound to a session. See the Apache HTTP Server documentation for more information.
      • Users of vFabric Web Server release 5.3.2 and Apache HTTP Server 2.2.26 configured as a forward proxy, and in limited cases also as a reverse proxy, have reported the following fatal error:

        Hostname proxyhost.example.com provided via SNI and hostname target.example.com provided via HTTP are different.

        The pertinent tests introduced in vFabric Web Server 5.3.2 and Apache HTTP Server 2.2.26 apply exclusively to the SSLStrictSNIVHostCheck feature in this release. The feature is disabled by default. See the Apache HTTP Server documentation for additional information about SSLStrictSNIVHostCheck restrictions.

What's New in vFabric Web Server 5.3.2

This vFabric Web Server release includes the following new features and changes:

  • Updated component and module versions: vFabric Web Server 5.3.2 updates the versions of the following components and modules:
    • Apache HTTP Server 2.2.25 (including 2.2.25 regression fixes)
    • Apache Tomcat Native 1.1.29
    • Apache mod_fcgid 2.3.9
  • Notable Resolved Issues in Apache HTTP Server
    • (55304) The httpdctl script install and uninstall options now support Ubuntu/Debian environments.
    • (VWS-188) Flaws introduced in mod_dav behavior with 2.2.25 are addressed.
  • Security Fixes:
    • No corrected defects are identified as vulnerability fixes in this update. The default behavior of SSLCompression was changed from 'on' to 'off', to avoid potential cryptographic attacks out of the box (e.g. to mitigate the "CRIME" attack vector).

What's New in vFabric Web Server 5.3.1

This vFabric Web Server release includes the following new features and changes:

  • Updated component and module versions: vFabric Web Server 5.3.1 updates the versions of the following components and modules:
    • Apache HTTP Server 2.2.25
    • Apache APR Library 1.4.8
    • Apache APR-util Library 1.5.2
  • Notable Resolved Issues in Apache HTTP Server (51194 and 51657): Correctly parse quotation and escaped spaces in FcgidWrapper command line argument (as currently documented) and honor quoted FcgidCmdOptions arguments (notably for InitialEnv assignments).
  • Security Fixes:
    Issue Number Description
    CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault.
    CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

What's New in vFabric Web Server 5.3.0

This vFabric Web Server release includes the following new features and changes:

  • Updated packages:
    • Apache HTTP Server 2.2.24
    • OpenSSL 1.0.1e
    • PCRE 8.32
    • zlib 1.2.7
    • Apache tcnative connector 1.1.27
  • New packages:
    • cURL 7.29
  • httpdctl Enhancement.The httpd script install and uninstall command options, for installing and removing a Web Server instance as a system service, now support Solaris. The implementation of this feature is subject to change in future maintenance releases.

Known Issues

The following issues have been identified in this release of vFabric Web Server. Where possible, a workaround is also provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of vFabric Web Server.

Issue Number Description Found In Fixed In
ASF 55304 Note: This known issue is a regression in Apache HTTPD Server itself.

If the source of a DAV COPY operation is also the root of the DAV repository, this means there will be no parent to provide. This issue causes the Subversion test suite to fail prior to Subversion 1.7.11 and 1.8.1, when a bug in the get_parent_resource() code that was asserting when run against the root was fixed. Affected customers should file a support ticket for a patch fix; most users, including most DAV and Subversion users will not be affected.
5.3.1 5.3.2
VWS-188 On Ubuntu 12.04 LTS, the httpdctl install and httpdctl uninstall commands fail under a default installation of vFabric Web Server because the commands expect the chkconfig utility to be present to enable or disable the /etc/init.d service.

Workaround: Run the following commands before running the two httpdctl commands:


prompt# apt-get install chkconfig
prompt# ln -s /usr/lib/insserv/insserv /sbin/

When you next run httpdctl install|uninstall, the command will likely output many lines of noise that might make it appear to you as if the command did not succeed. If, however, you see the following final line, then the command succeeded:

vFabric-httpd-instance-name 0:off 1:off 2:on 3:on 4:on 5:on 6:off

This last line of output highlights the runlevels at which the service will be enabled; in the sample output above, the runlevels are 2,3,4,5.

5.2.0 5.3.2
VWS-17 The Microsoft Windows package and self-extraction mechanism do not provide a capability to store and unpack the vfabric-web-server/httpd-2.2 symbolic link.

Workaround: Create the symbolic link yourself. See Windows: Install vFabric Web Server from a ZIP File for details.
5.0.0