Patch Name: PHSS_27655 Patch Description: s700_800 11.04 HP Praesidium Webproxy 1.0 server update Creation Date: 02/08/05 Post Date: 02/08/14 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: HP Praesidium Webproxy A.01.00 Filesets: PraesWebProxyI.PWEBPROX-CORE,fr=A.01.00,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No Category Tags: defect_repair enhancement general_release Path Name: /hp-ux_patches/s700_800/11.X/PHSS_27655 Symptoms: PHSS_27655: 1) When SSL is enabled Webproxy Server may exhibit unexpected behavior. PHSS_27440: 1) Webproxy Server may exhibit unexpected behavior. PHSS_26478: 1) The Webproxy immediately propagates all absolute URI GET requests. This allows the user to connect to the inside administration interface through the outside NES proxy server. 2) The Webproxy server gives an error when MaxClients is set greater than 256. 3) The Webproxy exits when the user who started the server logs out. PHSS_24030: 1) Segmentation fault errors found in error.log of inside Apache web server when using virtual hosting to proxy to other servers. 2) Inside server's httpd processes terminate abnormally when using virtual hosting to proxy to other servers. Defect Description: PHSS_27655: When SSL is enabled Webproxy Server may exhibit unexpected behavior. Resolution: Corrected the Webproxy Server to function as expected. PHSS_27440: Webproxy Server may exhibit unexpected behavior. Resolution: Corrected the Apache Webproxy Server to function as expected. PHSS_26478: 1) Specially constructed URIs allow connection to inside administration web server. When the user telnets to the outside webserver with an absolute URI, the outside NES webserver passes the request to the Webproxy. The Webproxy "short circuits" absolute URIs by default, and attempts to contact whatever host is requested. 2) The Webproxy server does not support MaxClients greater than 256. 3) The Webproxy exits when the user, who started the Webproxy via the apachectl script from the command line, logs off of system. Resolution: 1) A new directive is created, VVAllowAbsoluteURI, to make the immediate propagation of absolute URIs by the Webproxy a configurable action. 2) The Webproxy is modified to allow MaxClients to be increased to 2048. 3) A new start executable, proxyctl, has been included to start the Webproxy and allow the user to log out of the system without killing the Webproxy server. PHSS_24030: 1) Attempt to proxy to multiple backend web servers using virtual host functionality results in the Apache web servers shutting down with a segmentation fault. Resolution: 1) The httpd file has been updated to correct this problem and is provided with this patch. This updated httpd file also provides a new version of Apache (1.3.19) with software SSL, as well as shared memory support. Enhancement: No (superseded patches contained enhancements) PHSS_26478: This patch provides a new executable to start the Webproxy and allow the user to log out of the system without killing the Webproxy server. This patch also introduces a new configuration directive to make the propagation of absolute URIs by the Webproxy a configurable action. SR: 8606272562 8606268847 8606241929 8606195226 Patch Files: PraesWebProxyI.PWEBPROX-CORE,fr=A.01.00, fa=HP-UX_B.11.04_32/64,v=HP: /opt/vaultWP/files/loc/C/vaultWP.app_events /opt/vvproxy/bin/httpd /opt/vvproxy/bin/proxyctl /opt/vvproxy/bin/apachectl /opt/vvproxy/bin/ab /opt/vvproxy/bin/htdigest /opt/vvproxy/bin/htpasswd /opt/vvproxy/bin/logresolve /opt/vvproxy/bin/rotatelogs /opt/vvproxy/lib/libmm.sl /opt/vvproxy/lib/libmm.sl.12 /opt/vvproxy/lib/libmm.sl.12.21 /opt/vvproxy/lib/libmm.sl.11 /opt/vvproxy/lib/libmm.sl.11.23 /opt/vvproxy/PUBLIC_LICENSE_INFORMATION /etc/auth/system/files.fcdb/25.patches/24030_PHSS.fcdb /etc/auth/system/files.fcdb/25.patches/26478_PHSS.fcdb /etc/auth/system/files.fcdb/25.patches/27655_PHSS.fcdb what(1) Output: PraesWebProxyI.PWEBPROX-CORE,fr=A.01.00, fa=HP-UX_B.11.04_32/64,v=HP: /opt/vaultWP/files/loc/C/vaultWP.app_events: None /opt/vvproxy/bin/httpd: $Source: src/modules/proxy/mod_proxy.c, vaultWP, vau ltWP_1.0 $ $Date: 02/03/01 14:56:17 $ $Revis ion: 1.3 PATCH_11.04 (PHSS_26478) $ mod_ssl/2.8.2 $Source: src/modules/ssl/ssl_util_table.c, vaultWP, vaultWP_1.0 $ $Date: 02/03/01 16:23:05 $ $Re vision: 1.3 PATCH_11.04 (PHSS_26478) $ $Source: src/main/http_main.c, vaultWP, vaultWP_1.0 $ $Date: 02/03/01 16:25:00 $ $Revision: 1.5 PATCH_11.04 (PHSS_26478) $ $Source: src/main/http_protocol.c, vaultWP, vaultWP_ 1.0 $ $Date: 02/07/05 04:31:43 $ $Revision: 1.3 PATCH_11.04 (PHSS_27440) $ /opt/vvproxy/bin/ab: None /opt/vvproxy/bin/htpasswd: None /opt/vvproxy/bin/logresolve: None /opt/vvproxy/bin/htdigest: None /opt/vvproxy/bin/rotatelogs: None /opt/vvproxy/bin/proxyctl: src/admin/cgi/proxyctl/proxyctl.c, vaultWP, vaultWP_ 1.0 1.4 03/07/02 src/admin/cgi/apache-util/apache-admin.c, vaultWP, v aultWP_1.0 1.6 03/07/02 /opt/vvproxy/bin/apachectl: None /opt/vvproxy/lib/libmm.sl: OSSP mm 1.2.1 (28-Jul-2002) /opt/vvproxy/lib/libmm.sl.12: OSSP mm 1.2.1 (28-Jul-2002) /opt/vvproxy/lib/libmm.sl.12.21: OSSP mm 1.2.1 (28-Jul-2002) /opt/vvproxy/lib/libmm.sl.11: MM 1.1.3 (01-Jul-2000) /opt/vvproxy/lib/libmm.sl.11.23: MM 1.1.3 (01-Jul-2000) /opt/vvproxy/PUBLIC_LICENSE_INFORMATION: None /etc/auth/system/files.fcdb/25.patches/24030_PHSS.fcdb: src/host/24030_PHSS.fcdb, vaultWP, vaultWP_1.0 1.4 0 1/05/18 /etc/auth/system/files.fcdb/25.patches/26478_PHSS.fcdb: 14 1.1 26478_PHSS.fcdb, vaultWP, vaultWP_1.0 03/04 /02 10:11:46 /etc/auth/system/files.fcdb/25.patches/27655_PHSS.fcdb: 64 1.3 src/host/27655_PHSS.fcdb, vaultWP, vaultWP_1. 0 08/09/02 10:34:12 cksum(1) Output: PraesWebProxyI.PWEBPROX-CORE,fr=A.01.00, fa=HP-UX_B.11.04_32/64,v=HP: 2676731692 1068 /opt/vaultWP/files/loc/C/vaultWP.app_events 226882249 3356934 /opt/vvproxy/bin/httpd 3640087537 41035 /opt/vvproxy/bin/proxyctl 3152270837 5668 /opt/vvproxy/bin/apachectl 4216434706 41066 /opt/vvproxy/bin/ab 1939228638 32864 /opt/vvproxy/bin/htdigest 2042550004 114894 /opt/vvproxy/bin/htpasswd 915818328 24637 /opt/vvproxy/bin/logresolve 2550637096 28732 /opt/vvproxy/bin/rotatelogs 2912168635 45194 /opt/vvproxy/lib/libmm.sl 2912168635 45194 /opt/vvproxy/lib/libmm.sl.12 2912168635 45194 /opt/vvproxy/lib/libmm.sl.12.21 2375588202 45194 /opt/vvproxy/lib/libmm.sl.11 2375588202 45194 /opt/vvproxy/lib/libmm.sl.11.23 1332184720 17336 /opt/vvproxy/PUBLIC_LICENSE_INFORMATION 896613431 823 /etc/auth/system/files.fcdb/25.patches/ 24030_PHSS.fcdb 675446738 985 /etc/auth/system/files.fcdb/25.patches/ 26478_PHSS.fcdb 2906585945 719 /etc/auth/system/files.fcdb/25.patches/ 27655_PHSS.fcdb Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_24030 PHSS_26478 PHSS_27440 Equivalent Patches: PHSS_27656: s700: 11.04 s800: 11.04 Patch Package Size: 3720 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_27655 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_27655.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_27655. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_27655.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_27655.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_27655.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: After patch installation or removal, the Webproxy server must be manually restarted. The patch PHSS_27655 modifies the Webproxy's configuration file, /opt/vvproxy/conf/httpd.conf. A copy of the previous configuration file is saved to httpd.conf.prePHSS_27655. Previous customization to the original (saved) configuration must be transferred manually to new configuration file. PHSS_27440: The patch PHSS_27440 adds and changes SSL config directives and hence a backup of the httpd.conf is taken up viz httpd.conf.prePHSS_27440. The changes done for SSL config directives should be copied back to the httpd.conf file. PHSS_26478: By default, absolute URI GET requests will no longer be automatically propogated by the proxy module. If it is necessary to reactivate absolute URIs to the inside network, then the directives "ProxyRequests" and "VVAllowAbsoluteURI" most both be set to "On" in the Webproxy's configuration file, /opt/vvproxy/conf/httpd.conf .