/opt/hpws22/apache/hpws_docs/apache.release.notes

		hp-ux web server suite

Release Notes

HP-UX Apache-based Web Server B.2.2.15.14

on HP-UX 11i version 2 & 3 for Itanium(R) processor family-based systems

TABLE OF CONTENTS
What's New
Previous Releases
Features
- Secure Socket Layer (SSL)
- Dynamic Shared Objects (DSOs)
- Standard Features in HP-UX Apache-based Web Server
- Utilities
Documentation
Miscellaneous
Known Bugs
Legal Notices

Note: Please refer to /opt/hpws22/LICENSES/ to view HP's license, terms,
and warranty for all components.

For the latest information on all HP-UX Apache-based Web Servers, see
http://www.hp.com/go/webserver

By default, the HP-UX Apache-based Web Server runs under port number 80, while
the secure web server runs under port 443.

WHAT'S NEW

HP-UX Apache-based Web Server B.2.2.15.14:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities in Apache

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929

Overview of new features in Apache 2.2

Authn/Authz
The bundled authentication and authorization modules have been
refactored. The new mod_authn_alias module can greatly simplify Certain
authentication configurations.

Caching
mod_cache, mod_disk_cache, and mod_mem_cache have undergone a lot of
changes, and are now considered production-quality. htcacheclean has
been introduced to clean up mod_disk_cache setups.

Configuration
The default configuration layout has been simplified and modularised.
Configuration snippets which can be used to enable Commonly-used
features are now bundled with Apache, and can be easily added to
the main server config.

Graceful stop
The prefork, worker and event MPMs now allow httpd to be shutdown
gracefully via the graceful-stop signal. The GracefulShutdownTimeout
Directive has been added to specify an optional timeout, after which
httpd will terminate regardless of the status of any requests being
Served.

Proxying
The new mod_proxy_balancer module provides load balancing services
for mod_proxy. The new mod_proxy_ajp module adds support for the
Apache JServ Protocol version 1.3 used by Apache Tomcat.

Regular Expression Library Updated
Version 5.0 of the Perl Compatible Regular Expression Library (PCRE) is
now included. httpd can be configured to use a system Installation of
PCRE by passing the --with-pcre flag to configure.

Smart Filtering
mod_filter introduces dynamic configuration to the output filter chain.
It enables filters to be conditionally inserted, Based on any Request
or Response header or environment variable, and dispenses with the more
problematic dependencies and Ordering problems in the 2.0 architecture.

Large File Support
Httpd is now built with support for files larger than 2GB on modern
32-bit Unix systems.Support for handling >2GB request bodies has also
been added.

Event MPM
The event MPM uses a separate thread to handle Keep Alive requests and
accepting connections. Keep Alive requests have traditionally Required
httpd to dedicate a worker to handle it. This dedicated worker could
not be used again until the Keep Alive timeout was reached.

SQL Database Support
mod_dbd, together with the apr_dbd framework, brings direct SQL support
to modules that need it.Supports connection pooling in Threaded MPMs.

Module Enhancements
Authn/Authz
Modules in the aaa directory have been renamed and offer better support
for digest authentication.
For example,mod_auth is now split into mod_auth_basic and
mod_authn_file; mod_auth_dbm is now called mod_authn_dbm; mod_access
has been renamed mod_authz_host. There is also a new mod_authn_alias
module for simplifying certain authentication configurations.

mod_authnz_ldap
This module is a port of the 2.0 mod_auth_ldap module to the 2.2
Authn/Authz framework. New features include using LDAP attribute values
and complicated search filters in the Require directive.

mod_authz_owner
A new module that authorizes access to files based on the owner of the
file on the file system

mod_version
A new module that allows configuration blocks to be enabled based on
the version number of the running server.

mod_info
Added a new ?config argument which will show the configuration
directives as parsed by Apache,including their file Name and line
number. The module also shows the order of all request hooks and
additional build information, similar to httpd -V

mod_ssl
Added a support for RFC 2817, which allows connections to upgrade from
clear text to TLS encryption.

mod_imagemap
mod_imap has been renamed to mod_imagemap to avoid user confusion.

Program Enhancements

httpd
A new command line option -M has been added that lists all modules that
are loaded based on the current configuration.Unlike the -l option,
this list includes DSOs loaded via mod_so.

httxt2dbm
A new program used to generate dbm files from text input, for use in
RewriteMap with the dbm map type.

Module Developer Changes

APR 1.0 API
Apache 2.2 uses the APR 1.0 API. All deprecated functions and symbols
have been removed from APR and APR-Util.

Authn/Authz
The bundled authentication and authorization modules have been renamed
along the following lines:

* mod_auth_* -> Modules that implement an HTTP authentication mechanism
* mod_authn_* -> Modules that provide a backend authentication provider
* mod_authz_* -> Modules that implement authorization (or access)
* mod_authnz_*-> Module that implements both authentication &
authorization

There is a new authentication backend provider scheme which greatly
eases the construction of new authentication backend.

Connection Error Logging
A new function, ap_log_cerror has been added to log errors that occur
with the client's connection. When logged, The message includes the
client IP address.

Test Configuration Hook Added
A new hook, test_config has been added to aid modules that want to
execute special code only when the user passes -t to httpd.

Set Threaded MPM's Stacksize
A new directive, ThreadStackSize has been added to set the stack size
on all threaded MPMs. This is required for Some third-party modules on
platforms with small default thread stack size.

Protocol handling for output filters
In the past, every filter has been responsible for ensuring that it
generates the correct response headers Where it affects them. Filters
can now delegate common protocol management to mod_filter, using the
ap_register_output_filte_protocol Or ap_filter_protocol calls.

Monitor hook added
Monitor hook enables modules to run regular/scheduled jobs in the
parent(root) process.

Regular expression API changes
The pcreposix.h header is no longer available; it is replaced by the
new ap_regex.h header. The POSIX.2 regex.h Implementation exposed by
the old header is now available under the ap_ namespace from ap_regex.h
Calls to regcomp,Regexec and so on can be replaced by calls to
ap_regcomp, ap_regexec.

DBD Framework (SQL Database API)
With Apache 1.x and 2.0, modules requiring an SQL backend had to take
responsibility for managing it themselves. Apart from reinventing the
wheel, this can be very inefficient, for example when several modules
each maintain their Own connections.

Apache 2.1 and later provides the ap_dbd API for managing database connections
(including optimised strategies for Threaded and unthreaded MPMs), while
APR 1.2 and later provides the apr_dbd API for interacting with the database.

New modules SHOULD now use these APIs for all SQL database operations.
Existing applications SHOULD be upgraded to Use it where feasible,
either transparently
or as a recommended option to their users.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl A.00.09.08n.011 for HP-UX 11i v2 version and later.

- Apache2.2.x depends on Openssl A.00.09.08n.012 for HP-UX 11i v3 version and later.

PREVIOUS RELEASES

HP-UX Apache-based Web Server B.2.2.15.13:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities in Apache

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4153

HP-UX Apache-based Web Server B.2.2.15.12:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities in Apache

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607

- Bug Fixes

Server setup with wp_create cannot be started as modules cannot be found.

Install creates links in /var/jail/wp_interent/opt/hpws22/apache/htdocs directory.

Improved fix for CVE-2011-3192, which further fixes the handling of byte-range requests, where a range of '0-' will now return 206 instead
of 200.

HP-UX Apache-based Web Server B.2.2.15.11:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities in PHP 5.2.17

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7243

HP-UX Apache-based Web Server B.2.2.15.10:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3639
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148

- PHP upgraded to 5.2.17 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.17

- Bug Fix

Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
(CVE-2011-3368, CVE-2011-3639, CVE-2011-4317)

HP-UX Apache-based Web Server B.2.2.15.09:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348

- Bug Fixes:

Improved fix for CVE-2011-3192, which further fixes the handling of byte-range requests to use less memory,
to avoid denial of service.

HP-UX Apache-based Web Server B.2.2.15.08:

- Apache upgraded to 2.2.15:

This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419

- Bug Fixes:

Apache crashes with mod_auth_kerb modules.

HP-UX Apache-based Web Server B.2.2.15.07:

- Apache upgraded to 2.2.15:

- Bug Fixes:

SMH issue resolved(Unsatisfied code symbol) while apache version upgrade.

Note: It is recommended to use mod_jk instead of mod_jk2 as Apache Tomcat connector.

HP-UX Apache-based Web Server B.2.2.15.05:

- Apache upgraded to 2.2.15:
This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560

- Bug Fixes:

Apache gets Segmentation fault coredump in buffer_write() function

Apache gets Segmentation fault coredump in apr_bucket_alloc() function

Secure client renegotiations are not accepted correctly

Apache gives child pid exit signal Bus error (10)

SSLInsecureRenegotiation option is not working correctly

Note: HP Apache 2.2 uses "SSLRenegBufferSize" directive instead of the earlier directive "SSLMaxIOBuffer"
used by HP Apache 2.0 for defining the size for the SSL renegotiation buffer.

Additional features

- SSLRenegBufferSize directory used to configure the size of the SSL IO Buffer in mod_ssl instead of SSLMaxIOBuffer.

HP-UX Apache-based Web Server B.2.2.15.03:

- Apache upgraded to 2.2.15:
This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452

- Bug Fixes:

QXCR1001061071: ScriptMultipleDaemons directive doesn't work correctly in HP Apache 2.2

- PHP upgraded to 5.2.13 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.13

Additional features

Also extra option "SSLInsecureRenegotiation on" needs to be specified
in Apache configuration file in order for any browser to work with client
certificates for this new option "NoSessionIdContext" in "SSLOptions" directive
with OpenSSL 0.9.8m version and above.

Note: With this new option "NoSessionIdContext", Apache RFC 2817 support,
which allows connections to upgrade from clear text to TLS encryption and Apache
Server Same Indication (SNI) support will not work.

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- A new directive - ScriptMultipleDaemons has been added to cgid which can be configured to
create multiple cgi daemons to process cgi requests. This improves the performance of mod_cgid.
For more information on configuring this directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl A.00.09.08n.011 for HP-UX 11i v2 version and later.

- Apache2.2.x depends on Openssl A.00.09.08n.012 for HP-UX 11i v3 version and later.

HP-UX Apache-based Web Server B.2.2.15.02:

- Apache upgraded to 2.2.15:
This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412

- Bug Fixes:

QXCR1001070163: SSLSessionCacheTimeout Inactive directive doesn't work Apache version 2.0.59.12

- PHP upgraded to 5.2.13 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.13

Additional features

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl A.00.09.08n.011 for HP-UX 11i v2 version and later.

- Apache2.2.x depends on Openssl A.00.09.08n.012 for HP-UX 11i v3 version and later.

HP-UX Apache-based Web Server B.2.2.15.01:

- Apache upgraded to 2.2.15:
This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095

- Bug Fixes:
QXCR1001049547:Apache 2.2 to work with OpenSSL 0.9.8

- PHP upgraded to 5.2.13 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.13

Additional features

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl A.00.09.08n.011 for HP-UX 11i v2 version and later.

- Apache2.2.x depends on Openssl A.00.09.08n.012 for HP-UX 11i v3 version and later.

HP-UX Apache-based Web Server B.2.2.8.10:

- Apache upgraded to 2.2.8:
This version fixes the following security vulnerabilities

- PHP upgraded to 5.2.13 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.13

Additional features

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl 00.09.07m.021 version and later.

HP-UX Apache-based Web Server B.2.2.8.09:

- Apache upgraded to 2.2.8:
This version fixes the following security vulnerabilities

- PHP upgraded to 5.2.6 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.6

Bug Fixes

QXCR1001020782 - Fix for Apache 2.2.x.x by default sets HPWS22_APACHE_START=1

Additional features

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl 00.09.07m.021 version and later.

HP-UX Apache-based Web Server B.2.2.8.06:

- Apache upgraded to 2.2.8:
This version fixes the following security vulnerabilities

- PHP upgraded to 5.2.6 to fix security vulnerabilities
More details at

http://www.php.net/ChangeLog-5.php#5.2.6

Bug Fixes

- Replace mkstmp with tmpnum in MOD_AUTH_KERB

Additional features

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl 00.09.07m.021 version and later.

HP-UX Apache-based Web Server B.2.2.8.05:

- Apache upgraded to 2.2.8:

This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023

- PHP upgraded to 5.2.6 to fix security vulnerabilities

More details at

http://www.php.net/ChangeLog-5.php#5.2.6

- mod_jk upgraded to 1.2.23, the following security flaws were addressed

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860

Bug Fixes

- Fixed ftp.sl to support ftp socket functions like ftp_put() & ftp_get().

- Fixed ftp.sl to resolve Segmentation fault when using "ftp_mdtm" with PHP.

- mod_auth_kerb: Fix a SIGBUS that occurs when used with KRBCLIENT 1.6.2.

Additional features

- Added support for mod_tga module.

- Added two new directives CGIScriptTimeoutEnabled and CGIScriptTimeout in mod_cgid

For more information on configuring these new directives refer to,
Apache Admin Guide

- Added a new directive SSLMaxIOBuffer to configure the size of the SSL IO Buffer in mod_ssl

- mod_auth_kerb module upgraded to Version 5.3

- A new Directive "KrbAppendRealm" has been added to mod_auth_kerb module, which strips the domain name (@domain)
from the user name

- Introduced new module called mod_auth_xradius(0.4.6) to authenticate RADIUS server.

Dependencies

- mod_auth_kerb module depends on D.1.6.2 Kerberos client and later.

- mod_perl depends on perl D.5.8.8.D version.

- Apache2.2.x depends on Openssl 00.09.07m.021 version.

This information is related to Apache 2.0 release

- Apache upgraded to 2.0.64
This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939

- Bug Fixes:

Apache gives child pid exit signal Bus error (10)
Apache gets Segmentation fault coredump in buffer_write() function
Apache gets Segmentation fault coredump in apr_bucket_alloc() function
Secure client renegotiations are not accepted correctly
SSLInsecureRenegotiation option is not working correctly

Additional feature:

- New option "NoSessionIdContext" in "SSLOptions" directive has been added to fix the problem where
"inactive" option in "SSLSessionCacheTimeout" directive doesn.t show expected behavior for Netscape Browser,
while using client certificates. This new option "NoSessionIdContext" is not required for Internet Explorer Browser.
- Also extra option "SSLInsecureRenegotiation on" needs to be specified in Apache configuration file in order
for any browser to work with client certificates for this new option "NoSessionIdContext" in "SSLOptions"
directive with OpenSSL 0.9.8m version and above.
- Note: With this new option "NoSessionIdContext", Apache RFC 2817 support, which allows connections
to upgrade from clear text to TLS encryption and Apache Server Same Indication (SNI) support will not work.
Note: HP-UX Apache-based Web Server v.2.x powered by Apache Tomcat Webmin ends support starting April 01, 2011

Between now and end of March 2011, the HP-UX Apache-based Web Server v.2.x powered by Apache Tomcat Webmin releases will
only consist of fixes to critical defects. Starting April 01, 2011, the HP-UX Apache-based Web Server v.2.x powered by
Apache Tomcat Webmin will no longer be supported by HP.

It is recommended to migrate to the newer Apache bundle"HP-UX Apache-based Web Server v.3.x powered by Apache Tomcat
Webmin".

http://www.hp.com/softwarereleases/releases-media2/notices/082010Apache.pdf

- PHP version 5.2.13 upgraded to fix security vulnerabilities

More details at http://www.php.net/ChangeLog-5.php#5.2.6

- OpenSSL upgraded to 0.9.8n

Dependencies

- mod_perl depends on perl version D.5.8.8.D or higher.

- mod_auth_kerb depends on D.1.6.2 or later Kerberos client.(On 11.11 Kerberos V5 Client Version 1.3.5.06 )

- hpuxwsApache 11.11 binary has a runtime dependency on the following pathches.

- PHCO_36184 ( libc cumulative patch )
- PHSS_37517 ( ld and linker tools cumulative patch )
- PHSS_33946 ( HP aC++ -AA runtime libraries (aCC A.03.85) )

PREVIOUS RELEASES

- Apache upgraded to 2.0.63

- PHP version 5.2.13 upgraded to fix security vulnerabilities

More details at http://www.php.net/ChangeLog-5.php#5.2.6

- OpenSSL upgraded to 0.9.8n

This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434

Dependencies

- mod_perl depends on perl version D.5.8.8.D or higher.

- mod_auth_kerb depends on D.1.6.2 or later Kerberos client.(On 11.11 Kerberos V5 Client Version 1.3.5.06 )

- hpuxwsApache 11.11 binary has a runtime dependency on the following pathches.

- PHCO_36184 ( libc cumulative patch )
- PHSS_37517 ( ld and linker tools cumulative patch )
- PHSS_33946 ( HP aC++ -AA runtime libraries (aCC A.03.85) )
Enhancements

- The "SSL Configuration" section in SSL Admin Guide has been updated with the information to use
HP-UX Apache-based Web Server with SSL and Tomcat-based Servlet Engine.

For more information on configuring this directives refer to,
SSL Admin Guide

This release of HP-UX Apache-based Server is primarily a security and
bug fix release.

- Apache upgraded to 2.0.59
This version fixes the following security vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863

- Tomcat
This version fixes the following security vulnerabilities

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333

- PHP upgraded to 5.2.6 to fix security vulnerabilities
More details at http://www.php.net/ChangeLog-5.php#5.2.6

This version fixes the following security vulnerabilities:
-Fixed possible stack buffer overflow in FastCGI SAPI.
-Properly address incomplete multibyte chars inside escapeshellcmd()
-Fixed security issue detailed in CVE-2008-0599.
-Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
-Upgraded PCRE to version 7.6

- mod_jk upgraded to 1.2.23, the following security flaws were addressed

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1860

Bug Fixes
- This version will fix the bugs listed in http://www.php.net/ChangeLog-5.php#5.2.6

- Problem where httpd consumes 100% CPU and stops responding with dbm Cache enabled is fixed

- Fixed incorrect path to librt library which was causing PHP binary to crash

- A http request with OPTIONS method including cgi path does not execute the cgi script now

- Fixed httpd crashes with SIGBUS/SIGSEGV errors when using mod_ssl with client certificates

- mod_cgid looping in the accept() call returning ECONNABORT has been fixed

- apachectl script of the webproxy instance is not overwritten during an upgrade

- Fixed unresolved symbol issues while loading mod_auth_kerb module on 11.11

This release of HP-UX Apache-based Server is primarily a security and
bug fix release.

- The following security vulnerabilities have been fixed in this release.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969

- PHP upgraded to 5.2.0

- PHP extension, oci8 upgraded to 1.2.2

- Added support for 64bit MySQL extension

- Added a new PHP extension, SOAP.

- OpenSSL upgraded to 0.9.8d

- mod_perl supports perl 5.8.8

- mod_jk upgraded to 1.2.19

- Bug Fixes

- CGI process does not get terminated on graceful restart.

- httpd's size does not get larger on a graceful restart.

- Large POST message handled by cgid daemon.

- Apachectl of webproxy not corrupted on an upgrade.

- mod_perl returns 404 not found if a page is not found instead of 200 OK.

- cgid restarts on killing it in Chroot environment.

- php has IPV6 enabled.

- Apache on using ldap does not cause a Segmentation fault.

- pwck does not throw errors for users of Apache.

- Reverse proxy does not cause high CPU utilization.

- Included fix for Apache bug #12355.

This release of HP-UX Apache-based Server is primarily a security and
bug fix release.

- Apache upgraded to 2.0.58
The following security vulnerabilities have been fixed in this release.

mod_rewrite: Fix an off-by-one security problem in the ldap scheme
handling. For some RewriteRules this could lead to a pointer being
written out of bounds. Reported by Mark Dowd of McAfee Avert Labs.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747

mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost
with access control and a custom error 400 error page, allows remote
attackers to cause a denial of service (application crash) via a
non-SSL request to an SSL port, which triggers a NULL pointer dereference.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357

Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache
httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows
remote attackers to inject arbitrary web script or HTML via the Referer
when using image maps.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352

- mod_perl supports perl 5.8.7

- mod_jk upgraded to 1.2.15

- mod_jk2 upgraded to 2.0.5

- PHP extension, oci8 upgraded to 1.1

- Bug Fixes

Added a new Apache module, mod_auth_kerb.

Added a new PHP extension, openssl.

Added OCSP support for mod_ssl.

auth_ldap is no longer shipped with HP-UX Web Server Suite.

mod_perl fixed to display the entire process name on inclusion of
<Perl> directive in the configuration file.

Openldap fixed to prevent core dump on loading and unloading of
ldap.sl, a PHP extension.

mod_jk2 now recognizes ipv6 addresses.

The PHP extension pgsql.sl now links to the latest version of
libpq.

Running multiple instances of Apache has been documented.

libtool fixed to not refer to /CLO/BUILD_ENV.

SSL admin guide updated with the updatecrl option.

mod_ssl doesn't conflict with RSA's sslc library.

The correct version of Openssl binary is now displayed on the command prompt.

This release of HP-UX Apache-based Server is primarily a security and
bug fix release.

- The following security vulnerabilities have been fixed in this release.

The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5,
when register_globals is enabled, allows remote attackers to modify
the GLOBALS array and bypass security protections of PHP applications via
a multipart/form-data POST request with a "GLOBALS" fileupload field.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390

The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h
and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING
option, disables a verification step that is required for preventing
protocol version rollback attacks, which allows remote attackers to force
a client and server to use a weaker protocol than needed via a man-in-the-middle
attack.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969

- Bug Fixes

Apache is fixed to solve the problem of Content-Length header not being present
in HEAD response when used as a front-end server

mod_perl fixed to honor Perl's $| "OUTPUT_AUTOFLUSH" for STDOUT

Apache is fixed to stop without errors in Chrooted environment

mod_proxy is fixed to solve the problem of data loss with httpd-2.0.55
reverse proxy method=post.

This release of HP-UX Apache-based Web Server is a security and bug fix release.

- Apache upgraded to 2.0.55
The following security vulnerabilities have been fixed in this release.

Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions
(PCRE) before 6.2, as used in multiple products such as Python, allows
attackers to execute arbitrary code via quantifier values in regular
expressions, which leads to a heap-based buffer overflow.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2491

Off-by-one error in the mod_ssl Certificate Revocation List (CRL)
verification callback in Apache, when configured to use a CRL, allows
remote attackers to cause a denial of service (child process crash) via
a CRL that causes a buffer overflow of one null byte.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1268
More details are available at

The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers
to cause a denial of service (memory consumption) via an HTTP header with
a large Range field.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728

Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote
attackers to poison the web cache, bypass web application firewall protection,
and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked"
header and a Content-Length header, which causes Apache to incorrectly handle
and forward the body of the request in a way that causes the receiving server
to process it as a separate HTTP request, aka "HTTP Request Smuggling."
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088

- Bug Fixes

Added support for Nested mutexes.

To enable C++ modules, the following 3 lines must be added to the httpd.conf
file, if not present.
For 11iv2 IA 64-bit platforms, the directives to load the standard C++ libraries
are provided.
LoadFile /usr/lib/hpux64/libunwind.so
LoadFile /usr/lib/hpux64/libCsup.so
LoadFile /usr/lib/hpux64/libstd_v2.so

For 11iv2 IA 32-bit platforms, the directives to load the standard C++ libraries
are provided.
LoadFile /usr/lib/hpux32/libunwind.so
LoadFile /usr/lib/hpux32/libCsup.so
LoadFile /usr/lib/hpux32/libstd_v2.so

For all other flavors, the directives to load the classic C++ libraries are
provided.
LoadFile /usr/lib/libCsup.sl
LoadFile /usr/lib/libstream.sl
LoadFile /usr/lib/libstd.sl

NOTE: To use the LoadFile directive, the following patches are required.
For 11iv1:
PHSS_30968 - ld(1) and linker tools cumulative patch
PHSS_32573 - s700_800 11.11 HP aC++ -AA runtime libraries (aCC A.03.61)
For 11.00:
PHSS_30969 s700_800 11.00 ld(1) and linker tools cumulative patch
PHSS_32574 s700_800 11.X HP aC++ -AA runtime libraries (aCC A.03.61)
For 11iv2: No patches are required
Please note that the LoadFile directive must precede the LoadModule
directive for C++ modules.

Note : There is a known problem with mod_perl. mod_perl does not honor
Perl's $| (OUTPUT_AUTOFLUSH) for STDOUT. The fix for this problem could
not be included in this release and will be available in the next release.
Please contact your RCE if you need the fix.

HP-UX Apache-based Web Server A.2.0.54.02:

This release of HP-UX Apache-based Web Server is a bug fix release.

mod_ssl in Apache webserver 2.0.54.00 and earlier, when using
"SSLVerifyClient optional" in the global virtual host configuration,
does not properly enforce "SSLVerifyClient require" in a per-location
context, which allows remote attackers to bypass intended access
restrictions.

The MySQL extension for PHP is provided as an external library on
HP-UX 11i and HP-UX 11iv2 32 bit versions.

HP-UX Apache-based Web Server A.2.0.54.00:

This release of HP-UX Apache-based Web Server is a bug fix release.

- Apache upgraded to 2.0.54

- mod_jk upgraded to 1.2.10

- OpenSSL upgraded to 0.9.7g

- mod_perl supports perl 5.8.3

- PHP upgraded to 5.0.4

HP-UX Apache-based Web Server 2.0.53:
This release of HP-UX Apache-based Web Server is primarily a security and
defect fix release.

- Apache upgraded to 2.0.53

Apache webserver 2.0.52 and earlier allows remote attackers to cause a
denial of service (CPU consumption) via an HTTP GET request with a MIME
header containing multiple lines with a large number of space characters.
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

Added longuname support.

- Added perl 5.8.2 support for mod_perl.

HP-UX Apache-based Web Server 2.0.52:
This release of HP-UX Apache-based Web Server is primarily a security and bug
fix release.

- Apache upgraded to 2.0.52

The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and
earlier allow remote attackers to cause a denial of service (child process
crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test
Tool.
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786

Buffer overflow in Apache 2.0.50 and earlier allows local users to gain
apache privileges via a .htaccess file that causes the overflow during
expansion of environment variables.
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747

The char_buffer_read function in the mod_ssl module for Apache 2.x, when
using reverse proxying to an SSL server, allows remote attackers to cause
a denial of service (segmentation fault).
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751

mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a
denial of service (CPU consumption) by aborting an SSL connection in a way
that causes an Apache child process to enter an infinite loop.
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748

The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to
cause a denial of service (child process crash) via a certain sequence of
LOCK requests for a location that allows WebDAV authoring access.
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809

Vulnerability in Apache 2.0.51 prevents the merging of the Satisfy
directive, which could allow attackers to obtain access to restricted
resources contrary to the specified authentication configuration.
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0811

- mod_perl upgraded to 1.99_16

HP-UX Apache-based Web Server 2.0.50:
This release of HP-UX Apache-based Web Server is primarily a security and bug fix release
with two enhancements.

- Apache upgraded to 2.0.50

A remotely triggered memory leak in http header parsing can allow a denial
of service attack due to excessive memory consumption. [CAN-2004-0493]
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a (trusted)
client certificate subject DN which exceeds 6K in length. [CAN-2004-0488]
More details are available at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

- PHP upgraded to 4.3.8

The memory_limit functionality, under certain conditions such as when
register_globals is enabled, allows remote attackers to execute arbitrary
code by triggering a memory_limit abort during execution of the
zend_hash_init function and overwriting a HashTable destructor pointer
before the initialization of key data structures is complete. [CAN-2004-0594]
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594

The strip_tags function, does not filter null (\0) characters within tag
names when restricting input to allowed tags, which allows dangerous tags
to be processed by web browsers such as Internet Explorer and Safari, which
ignore null characters and facilitate the exploitation of cross-site
scripting (XSS) vulnerabilities. [CAN-2004-0595]
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595

- Apache(mod_ssl): Extended support for 'RequestHeader' directive
When the Proxy feature is used, the RequestHeader directive can
be used to send any environment variables/values to the backend server.

- Apache(mod_ssl): Support for updating CRL without re-starting the web server
A new option 'updatecrl' was added to apachectl. This new option will
allow to update the Certificate Revocation List without taking down
the web server.

- Bug fixes:
mod_ssl: Fix a SEGV that occurs when small cache size is specified.

mod_cgi: Fix a hang problem with scripts that used timeouts (ex. ping)

HP-UX Apache-based Web Server 2.0.49.00:
This release of HP-UX Apache-based Web Server is primarily a security and bug
fix release which addresses the following vulnerablities and problems:

- Apache upgraded to 2.0.49:

Apache does not filter terminal escape sequences from error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020

Starvation issue on listening sockets occurs when a short-lived connection
on a rarely-accessed listening socket will cause a child to hold the accept
mutex and block out new connections.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174

Memory leak in mod_ssl allows a remote denial of service attack against a
SSL-enabled server by sending plain HTTP requests to the SSL port.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113

Bug fixes:
mod_ssl: Send the "Close Notify" alert message before closing the socket.
mod_ssl: Support for recognizing SSL variables in mod_rewrite.
mod_ssl: Disable extra session caching in OpenSSL to prevent memory leak.
mod_ssl: Changed SSLMutex to use 'pthread' and 'shm' as an option.
Apache : Fix segmentation violation when no Listen directive is specified.

- OpenSSL upgraded to 0.9.7.d

The do_change_cipher_spec function in OpenSSL allows remote attackers to cause
a denial of service via a crafted SSL/TLS handshake that triggers a null
dereference.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079

The SSL/TLS handshaking, when using Kerberos ciphersuites, does not properly
check the length of Kerberos tickets during a handshake, which allows
remote attackers to cause a denial of service via a crafted SSL/TLS handshake
that causes an out-of-bounds read.
More details are available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112

PKCS7-S/MIME encryption fails with memory fault core dump

- C++ plug-in modules

C++ plug-in modules on IPF should now be built with the Standard C++
runtime libraries. This is a change from previous versions which used
Classic C++ runtime libraries. Plug-ins for PA should continue to use
the Classic C++ runtime libraries. From more information see,
Apache Admin Guide

FEATURES
The HP-UX Apache-based Web Server B.2.2.15.14 is a 64-bit product for HP-UX,
based on Apache HTTP Server 2.2 (version 2.2.15) software from the
Apache Software Foundation (ASF). The HP-UX Apache-based Web Server is built
with the "worker" Multi-Processing Module (MPM). This module implements a
hybrid, multi-process, multi-threaded server and provides high scalability
with improved performance.

In the worker MPM a single control process is responsible for launching
child processes. Each child process creates a fixed number of threads as
specified in the ThreadsPerChild directive. The individual threads then
listen for connections and serve them when they arrive. MaxRequestsPerChild
controls how frequently the server recycles processes by killing old ones
and launching new ones. The server adjusts to handle load by increasing or
decreasing the number of processes.

The HP-UX Apache-based Web Server is an HTTP/1.1 compliant server which
implements the latest protocols, including RFC2616. It is precompiled
and preconfigured to run on HP-UX 11i for Itanium(R) Product family-based
products.

Secure Socket Layer (SSL)
The HP-UX Apache-based Web Server is delivered with 128-bit strong encryption
capability. The base Apache HTTP Server includes an SSL module (mod_ssl) to
provide secure communication via the Secure Socket Layer and Transport
Layer Security protocols. The SSL module (mod_ssl) uses the Open Source toolkit
OpenSSL for performing the cryptographic operations. SSL tuning information is
available in SSL Admin Guide

SSL connections to the HP-UX Apache-based Web Server use a default dummy server
certificate. Note that you must obtain certificates from authorized agencies
for commercial purposes. After obtaining a certificate, make the necessary
changes in /opt/hpws22/apache/conf/extra/httpd-ssl.conf to use it. The default dummy key
certificate does not include a PEM ENCODED Pass Phrase. The SSL Admin Guide
contains instructions on adding and removing a PEM Pass Phrase for a server key.

By default, the HP-UX Apache-based Web Server runs under port number 80, while
the secure web server runs under port 443.

Dynamic Shared Objects (DSOs)
The HP-UX Apache-based Web Server supports Dynamic Shared Objects (DSO), a
special type of shared library. The HP-UX Apache-based Web Server can load
or unload DSOs as needed. All standard Apache modules are compiled as
DSOs in the HP-UX Apache-based Web Server to provide maximum flexibility.
These can be added or removed dynamically at runtime.

You can customize the HP-UX Apache-based Web Server by writing your own DSOs
using Apache's module APIs. New APIs are available in Apache 2.x over
what was provided in Apache 1.3. Changes were also made to the APIs that
were carried forward from Apache 1.3 to Apache 2.x. For example, many data
types were moved to the Apache Portable Runtime (APR) library. As a result,
Apache 1.3 modules will require some modification for Apache 2.x. Changes
to the Apache API have also occurred since the previous releases of
HP Apache-based Web Server 2.x. Any modules written and compiled for
the previous releases of may also need to be reviewed. See the Apache Admin Guide
for more information

For documentation on developing new Apache 2.x modules and on porting
existing Apache 1.3 modules, please see the Migration guide
HP Apache-based Web Server version 1.3.x to HP-UX Web Server Suite.

Other online resources can be found at http://apr.apache.org and
http://httpd.apache.org/docs-2.0/developer.

Standard Features in HP-UX Apache-based Web Server
SECURITY

Webproxy
Webproxy is a secure reverse proxy solution that can enhance the
security of any application service delivered through a web portal.
It mediates between clients on the Internet and application servers
on the intranet, providing a safe passage for application data between
authenticated users and authorized resources.
Scripts have been provided for easy setup and removal of the webproxy
server. A Chroot jail is automatically created for each server.

Webproxy is installed in /opt/hpws22/apache/webproxy.
Detailed information is included in the
Webproxy Admin Guide

Note: An upgrade from a version of Apache older than 2.0.54.00 to
a version between 2.0.54.00 and 2.0.58.00 will corrupt the apachectl
script of the existing webproxy instances. A further upgrade will
throw up an error in swagent.log. However this will not cause any
problem if any of the webproxy instance is not running on the
machine during the upgrade.

Chroot
Chroot causes the named directory to become the root directory,
the starting point for path searches. A malicious user cannot get
to the root file system. Our chroot includes SSL enhancements.
We include a script, /opt/hpws22/apache/util/chroot_os_cp.sh, that can
be used to copying OS files to your chroot directory.

HP-UX Bastille
HP-UX Bastille is a security hardening/lockdown tool which can be
used to enhance the security of the HP-UX operating system. The
HP-UX Apache-based Web Server fully supports Bastille functionality.
For more information about HP-UX Bastille, search for HP-UX Bastille
at http://www.software.hp.com.

OpenSSL 0.9.7m
OpenSSL is a fully-featured Open Source toolkit implementing
the Secure Sockets Layer and Transport Layer Security protocols
With full-strength cryptography worldwide.

OpenSSL is installed in /opt/hpws22/apache/bin/openssl.

auth_ldap 1.5.4
Auth_ldap is a connector module between Apache and an LDAP directory
server which allows Apache to authenticate HTTP clients by using entries
in an LDAP directory. Auth_ldap supports iPlanet(Netscape) Directory
Server and OpenLDAP Server and can be configured to use the stunnel
program for secure SSL queries to the LDAP server.

More information on setting up auth_ldap and stunnel can be found in
LDAP Admin Guide

mod_authnz_ldap
Mod_authnz_ldap is a connector between Apache and an LDAP directory
server which allows Apache to authenticate HTTP clients by using entries
in an LDAP directory. Mod_auth_ldap supports iPlanet(Netscape) Directory
Server and OpenLDAP Server and can be configured to use the stunnel
program for secure SSL queries to the LDAP server.

More information on setting up mod_authnz_ldap, mod_ldap
(mod_auth_ldap caching module), and stunnel can be found in
LDAP Admin Guide

suEXEC
suEXEC provides the ability to run CGI and SSI programs under user
IDs different from the user ID of the web-server. Normally, a CGI or
SSI program executes as the same user who is running the web server.

For more information, please see: suEXEC Admin Guide

SCRIPTING
mod_perl 1.99.16
mod_perl is an add-on Apache module that glues together the Perl
runtime library, server software and an object-oriented Perl
interface to Apache's C language API. It enables Apache modules
to be written entirely in Perl and improves performance of Perl cgi
scripts. The Prerequisites section in the Apache Admin Guide
contains requirements for mod_perl. mod_perl is still under
development because of its dependency on Apache's API.

PHP 5.2.6
PHP is an HTML embedded, server-side, cross-platform, scripting
language with support for database access.

For more information on PHP, please see PHP Admin Guide
and PHP User Guide.

PHP Extensions
Extensions provide additional functionality for PHP scripting.
These include support for Oracle connectivity, XML parsing,
Image manipulation and more.

For more information, please see PHP Admin Guide.

CONTENT MANAGEMENT
FrontPage Server Extensions 2002
FrontPage Server Extensions enable FrontPage authoring on the server.
Entire FrontPage-extended web sites or individual web pages can be
published from a FrontPage client to the server or directly created
and edited on the server itself.

MS FrontPage Support is only available on HP-UX 11.0 and 11i (PA-RISC)
systems. For more information, please see:
Admin Guide for MS FrontPage Support

WebDAV
WebDAV ("Web-based Distributed Authoring and Versioning") is a set
of extensions to the HTTP protocol which allows users to create,
move, copy, and delete resources (files) and collections (directories)
on a remote server. For example, WebDAV can be used to edit HTML files.
This version of Apache provides class 1 and class 2 WebDAV using the
mod_webdav module.

More information on WebDAV is available at http://www.webdav.org/
or in the product FAQ.

IPv6
Provides support for IPv6 and IPv4 protocols for HP-UX 11i version 2.
The emergence of the IPv6 technology will increase the number of
available IP addresses and add many improvements over IPv4.

For more information, please see:
Apache Admin Guide.

GENERAL
MC/ServiceGuard Support
HP-UX Apache-based Web Server is certified with MC/ServiceGuard. A
toolkit that integrates HP-UX Apache with ServiceGuard is available
in the ECMT, version B.02.00. The change to apachectl documented
in the ECMT Release Notes, version B.02.00, in "Problems/Workarounds"
is no longer required with this release of HP-UX Apache. The change
is now incorporated into the HP-UX Apache product.

mod_deflate
This standard Apache module provides a filter to compress content
from your server before sending it to the client. It can also decompress
a gzip-compressed request body.

For more information on mod_deflate requirements, please see:
Apache Admin Guide

apr_shm
apr_shm is a library that abstracts the usage of shared memory on UNIX
platforms. apr_shm support allows the SSLSessionCache directives to
be used in the following manner:
SSLSessionCache shmht:/opt/hpws22/apache/logs/ssl_scache(51200)
SSLSessionCache shmcb:/opt/hpws22/apache/logs/ssl_scache(51200)
51200 represents the size of the shared memory being created and can
be changed based on the system resources. Shmht refers to the hash
table method of session caching and shmcb refers to the circular buffer
method of session caching. Please note that either shmht or shmcb can
be specified.

Apache modules in C++
HP-UX Apache-based Web Server supports loading of Apache modules written
in C++. More information regarding building and using C++ modules can
be found in /opt/hpws22/apache/build/examples/README and in the FAQ under
Troubleshooting - "Why does my C++ module fail to load?".

Automatic Restart of Apache/Tomcat/Webmin
Apache/Tomcat/Webmin can be started automatically on reboot.
More information on customization/configuration of this feature can
be found in Apache Admin Guide.

The Apache product is built with options that provide maximum flexibility to
allow enabling of new modules or disabling of existing modules. The modules
included by default as shared objects with the HP-UX Apache-based Web Server
are listed below. These modules are located in the /opt/hpws22/apache/modules/
directory.

For a detailed description of the standard Apache modules, please see
http://httpd.apache.org/docs-2.0/mod/index.html.

* Modules marked with a "*" were not part of HP Apache-based Web Server 1.3.

auth_ldap
mod_access
mod_actions
mod_alias
mod_asis
mod_auth
mod_auth_anon
mod_auth_dbm
* mod_auth_digest
* mod_auth_ldap
mod_autoindex
* mod_cache
* mod_case_filter
* mod_case_filter_in
mod_cern_meta
mod_cgi
* mod_cgid
* mod_charset_lite
* mod_dav
* mod_dav_fs
* mod_deflate
mod_dir
* mod_disk_cache
mod_env
mod_expires
* mod_ext_filter
* mod_file_cache
* mod_log_forensic
mod_headers
mod_imap
mod_include
mod_info
* mod_jk
* mod_jk2
* mod_ldap
mod_log_config
* mod_mem_cache
mod_mime
mod_mime_magic
mod_negotiation
mod_perl
mod_php4
mod_proxy
* mod_proxy_connect
* mod_proxy_ftp
* mod_proxy_http
mod_rewrite
mod_setenvif
mod_speling
* mod_ssl
mod_status
* mod_suexec
mod_unique_id
mod_userdir
mod_usertrack
mod_vhost_alias

Utilities
The following utilities are part of this product. These are found
in /opt/hpws22/apache/util. For more information on the specific utility,
please see
Apache Utilities User Guide
General Utilities User Guide

altroot.sh
Alternate Root Utility. After installing HP-UX Apache-based Web Server
into the default /opt/hpws22/apache/ directory, this script can be used
to move it into another directory.

cache_util.pl
This interactive utility helps in the creation of cache.conf file for
use with mod_file_cache. Performance of HP-UX Apache-based Web Server
can be improved for serving of static content by using mod_file_cache.
Frequently accessed static files can be pre-loaded into memory and
served directly in order to avoid frequent disk access. Files to be
cached by mod_file_cache are listed in cache.conf file.

chroot_os_cp.sh
Chroot Copy utility. This is a helper script that sets up chroot
by copying typical files used by HP-UX Apache-based Web Server into the
chroot directory. The copied set of files allows demo web pages to run.
A very secure Apache may require some of these files to be deleted. If
you need additional things to be done as part of chroot set-up, you are
encouraged to customize this script for your site.

mkcert.sh
SSL Certificate Generation Utility. This script generates private
keys, certificate signing requests, and certificates for the CA,
server, and client.

ports.sh
Port List Utility. This script lists the ports being configured
by the HP-UX Apache-based Web Server. In this distribution, there are
ports being configured for Apache, Apache(SSL), Tomcat, mod_jk,
Webmin, and LDAP.

DOCUMENTATION
The Release Notes, Admin Guides and User Guides included in this bundle
can be found in /opt/hpws22/hp_docs/apache/ or if your server has been started
with the default configuration, at http://yourserver.com/hp_docs/.

The Migration Guides shipped with the HP-UX Webmin-based Admin can be found at
/opt/hpws22/hp_docs/ or if your server has been started with the default
configuration, at http://yourserver.com/hp_docs/.

The FAQ included shipped with the HP-UX Webmin-based Admin can be found at the
following URL if the server was started with the default configuration:
http://yourserver.com/hp_docs/faq/index.html

For the latest information on the HP-UX Apache-based Web Server, including the
most up-to-date version of the FAQ, see
http://www.hp.com/go/webserver/

For the Apache 2.0 User's Manual, see
http://yourserver.com/manual/ (included with the product bundle)
or http://httpd.apache.org/docs-2.0/

For the OpenSSL User's Guide, see
http://www.openssl.org/docs/

For the mod_ssl User's Guide, see
http://www.modssl.org/docs/

For the PHP User's Guide, see
http://www.php.net/docs.php

MISCELLANEOUS
For general information on Apache's HTTP Web Server, see
http://httpd.apache.org/

For general information on mod_perl module, see
http://perl.apache.org/

For the Apache Software Foundation, see
http://www.apache.org/

For general information on PHP, see
http://www.php.net/

For OpenLDAP SDK information and software, see
http://www.openldap.org/

For iPlanet(Netscape) Directory Server on HP-UX see,
http://www.software.hp.com

For information about auth_ldap LDAP authentication module,
http://www.rudedog.org/auth_ldap/

For information about WebDAV,
http://www.webdav.org/

For background information on Bastille,
http://www.bastille-linux.org/

For information about IPv6,
http://www.ipv6.org/

KNOWN BUGS
For known bugs in this release, please see Apache Admin guide.
NOTE
1.Any modules built with Apache2.0 may not function as expected with Apache 2.2,
and might need to be recompiled using Apache2.2 libraries.

2.We are discontinuing xmltools starting WSS 3.0 release, which was there as a part of
WSS 2.0 releases. We continue to support it under WSS 2.0

3. Before installing WSS3.0 depot please remove the
WSS 3.0 beta depot if it is already installed.

4.While performing IDT (Installation/Uninstallation) on 11iv3 platform,
software spec will be shown as "fa=HP-UX_B.11.23_IA/PA",which can be ignored.

5. MOD_JK2 is officially unsupported by OpenSource
More details are available at: http://tomcat.apache.org/connectors-doc/news/20041100.html
We will be discontinuing this modules from WSS Suite in 6 months down the line.

6. Altroot.sh may not work as expected. This issue will be taken care in future release.

***************************************************************************

LEGAL NOTICES

The information in this document is subject to change without notice.

WARRANTY DISCLAIMER
HEWLETT-PACKARD MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
INFORMATION, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  Hewlett-Packard
shall not be liable for errors contained herein or for direct, indirect,
special, incidental or consequential damages in connection with the
furnishing, performance or use of this material.

RESTRICTED RIGHTS LEGEND
Use, duplication or disclosure by the U.S. Government is subject to
restrictions as set forth in subparagraph (c)  (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD
agencies.  Rights for non-DOD U.S. Government Department and Agencies are
as set forth in FAR 52.227-19 (c)(1,2).

COPYRIGHT NOTICES
Copyright 2001-2007 Hewlett-Packard Development Company, L.P.
This document contains information which is protected by copyright.
All Rights Reserved. Reproduction, adaptation, or translation without
prior written permission is prohibited, except as allowed under the
copyright laws.

TRADEMARK NOTICES
UNIX is a registered trademark in the United States and other countries,
licensed exclusively through X/Open Company Limited.

Intel(R) Itanium(TM) Processor Family is a trademark of Intel Corporation
in the U.S. and other countries is used under license.

Java and all Java-based trademarks and logos are trademarks or
registered trademarks of Sun Microsystems, Inc. in the U.S. and
other countries.

Netscape is a U.S. trademark of Netscape Communications Corporation.

Oracle is a registered U.S. trademark of Oracle Corporation, Redwood City,
California.

Microsoft is a U.S. registered trademark of Microsoft Corporation.

ACKNOWLEDGEMENTS
This product includes software developed by the Apache Software Foundation.
This documentation is based on information from the Apache Software Foundation
(http://www.apache.org).

This product includes software developed by the OpenLDAP Project
(http://www.openldap.org).

This product includes software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org).

This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com).

This product includes PHP, freely available from (http://www.php.net).