HP-UX 11i December 2002 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

101

102

103

104

105

106

107

108

109

110

HP-UX 11i Version 1.0 Operating Environment Applications

HP-UX 11i Operating Environment

Chapter 6

105

• auth_ldap 1.6 has been added as the connector between Apache and an LDAP

directory server module, allowing Apache to authenticate HTTP clients by using

entries in an LDAP directory. auth_ldap supports iPlanet (Netscape) Directory

Server and OpenLDAP Server, and can be configured to use the stunnel program for

secure SSL queries to the LDAP server.

• The following utilities have been added to HP Apache 1.3.26.x in the

/opt/apache/bin/directory. (For more information on each utility, please see the

Utilities User Guide, available at

/opt/apache/htdocs/doc/utilities.user.guide.)

— mkcert.sh: SSL Certificate Generation Utility. This script generates private

keys, certificate signing requests, and certificates for the CA, server, and client.

— stunnel_ctl.sh: Stunnel Start/Stop Utility. This is a wrapper utility used to

start and stop the stunnel program. Stunnel is used for SSL connections

between Apache and an LDAP directory server. More information on configuring

an SSL connection is in the LDAP Admin Guide, available at

/opt/apache/htdocs/doc/ldap.admin.guide.

New in 1.3.26.05

• OpenSSL 0.9.6g version upgrade fixes certain known OpenSSL vulnerabilities. The

Common Vulnerabilities and Exposures Project (http://cve.mitre.org) describes

them in issues CAN-2002-0656, CAN-20020657, and CAN-2002-0655. More

information can be found at http://www.openssl.org. The OpenSSL community

has released OpenSSL 0.9.6g as the best known version superseding the OpenSSL

0.9.6e release that was identified in the CVE report.

• mod_ssl 2.8.10

• MM 1.2.1 version upgrade fixes certain known vulnerabilities. Before 1.2.0, OSSP mm

library (libmm) allowed the local Apache user to gain privileges via temporary files,

possibly via a symbolic link. More details can be found in the issue CAN-2002-0658

at http://cve.mitre.org.

updated for

September 2002

HP Apache version 1.3.26.03 is principally a security-fix, bug-fix, and version-upgrade

release.

This release has upgraded to PHP 4.2.2 from 4.2.1 in previous HP Apache 1.3.26

releases. PHP 4.2.2 contains the security fix to correct POST vulnerabilities in PHP

versions 4.2.0 and 4.2.1. For more information see:

http://www.php.net/release_4_2_2.php.

Apache 1.3.26 addresses and fixes the issue regarding a remotely exploitable

vulnerability in handling of large data chunks as noted in the following security

bulletins:

• http://itrc.hp.com/ — Log in and search for “HPSBUX0207-197” in “Technical

Documents.” If you do not have a login, follow the easy registration steps.

• http://cve.mitre.org/ — Search for “CAN-2002-0392.”

• http://www.cert.org/advisories/CA-2002-17.html

This release is a version update for the following HP Apache components:

• Apache base 1.3.26

• Tomact 3.3.1

• PHP 4.2.2