Patch Name: PHSS_31829 Patch Description: s700_800 11.04 Webproxy server 2.0 update Creation Date: 04/08/06 Post Date: 04/08/26 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: HP Webproxy A.02.00 Filesets: HP_Webproxy.HPWEB-PX-CORE,fr=A.02.00,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No Category Tags: defect_repair enhancement general_release Path Name: /hp-ux_patches/s700_800/11.X/PHSS_31829 Symptoms: PHSS_31829: 1. SSL-enabled Webproxy server may exhibit unexpected behavior in mod_ssl versions prior to 2.8.19 PHSS_30949: 1. Webproxy server may exhibit unexpected behavior for Apache versions prior to 1.3.31. 2. mod_proxy module of Webproxy server may exhibit unexpected behavior in Apache versions 1.3.26 to 1.3.31. 3. SSL-enabled Webproxy server may exhibit unexpected behavior in mod_ssl versions prior to 2.8.18. PHSS_30650: 1. SSL-enabled Webproxy server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7d 2. When a conditional request is issued to Webproxy and if the response is a cached 304 (HTTP_NOT_MODIFED), then the response content type is set to text/plain even if it is of different content type. 3. When speedcard is enabled Webproxy server may not start. PHSS_29894: 1. Webproxy server may exhibit unexpected behavior in versions prior to Apache web server 1.3.29. 2. SSL-enabled Webproxy server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7c. PHSS_29547: Webproxy server may exhibit unexpected behavior in versions prior to Apache web server 1.3.28. PHSS_29230: 1. If Webproxy server is terminated without updating the server process id file, subsequent attempts to start the server may report that the "server is already running" and the server will fail to start. 2. Webproxy Server does not clean up allocated shared memory segment. PHSS_27834: When a non-root user tries to stop Webproxy server using proxyctl tool the Webproxy server does not stop. PHSS_27656: When SSL is enabled Webproxy Server may exhibit unexpected behavior. PHSS_27441: 1. Low SSL performance. 2. The Webproxy server gives an error when MaxClients is greater than 256. 3. The proxyctl binary dumps core when used to start Webproxy. 4. The Webproxy server exhibits unexpected behavior for some absolute URI GET requests. 5. Webproxy Server may exhibit unexpected behavior. Defect Description: PHSS_31829: 1. SSL-enabled Webproxy server may exhibit unexpected behavior for mod_ssl versions prior to 2.8.19 Resolution: 1. Migrated mod_ssl version of Webproxy server to 2.8.19 PHSS_30949: 1. Webproxy server may exhibit unexpected behavior for Apache versions prior to 1.3.31. 2. mod_proxy module of Webproxy server may exhibit unexpected behavior in Apache versions 1.3.26 to 1.3.31. 3. SSL-enabled Webproxy server may exhibit unexpected behavior for mod_ssl versions prior to 2.8.18. Resolution: 1. Migrated Apache version for Webproxy server from 1.3.29 to 1.3.31. 2. Apache provided a patch for the mod_proxy modules that adds a check for invalid content length. 3. Migrated mod_ssl version of Webproxy server to 2.8.18. PHSS_30650: 1. SSL-enabled outside Webproxy server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7d 2. In Webproxy, the Content-Type header received from the upstream server is filled into the response structure in the mod_proxy module even if it receives Content-Type as null. When the core module receives null Content-Type from the mod_proxy, it is set to the default content type i.e. text/plain. 3. When speedcard is enabled, Webproxy server may not start with OpenSSL versions that have RSA blinding turned on. Resolution: 1. Migrated OpenSSL version for Webproxy server to 0.9.7d. 2. A check for null content type is introduced before filling the response structure with the Content-Type header from the upstream server. 3. Rainbow Technologies provided a patch for the OpenSSL speedcard encryption library. PHSS_29894: 1. Webproxy server may exhibit unexpected behavior in versions prior to Apache web server 1.3.29. 2. SSL-enabled Webproxy server may exhibit unexpected behavior for OpenSSL versions prior to 0.9.7c. Resolution: 1. Migrated Apache version for Webproxy server from 1.3.28 to 1.3.29. 2. Migrated OpenSSL version for Webproxy server from 0.9.6j to 0.9.7c. PHSS_29547: Webproxy server may exhibit unexpected behavior in versions prior to Apache server 1.3.28. Resolution: Migrated Webproxy server from Apache server version 1.3.19 to 1.3.28. PHSS_29230: 1. During some system operations, Webproxy server is not cleanly stopped. As a result, the file associated with the server may contain a process identifier that, upon subsequent server startup, is associated with a process other than the server. Attempts to start the Webproxy server fail and give a "server is already running" error. 2. Webproxy Server does not clean up allocated shared memory segment. Resolution: 1. The proxyctl program will perform a check to see if the process identifier in the Webproxy server pid file belongs to a Webproxy process before declaring that the server is already running. 2. Dynamic memory is used instead of shared memory segment. PHSS_27834: When a non-root user uses proxyctl tool to stop the Webproxy server, the file '/opt/vvproxy/bin/apachectl' is not accessible and hence the Webproxy server could not be stopped. Resolution: The required privilege is set in the proxyctl program so that the file '/opt/vvproxy/bin/apachectl' is accesible to the process. PHSS_27656: When SSL is enabled Webproxy Server may exhibit unexpected behavior. Resolution: Corrected the Webproxy Server to function as expected. PHSS_27441: 1. When OpenSSL library is used for encrypting the communication, there is a low SSL performance. 2. The Webproxy server does not support MaxClients greater than 256. 3. The proxyctl binary had a dependency on Virtualvault vaultWS component. This dependency causes proxyctl to dump core when used to start WebProxy. 4. Specially constructed URIs might be allowed to connect to listening inside processes. 5. Webproxy Server may exhibit unexpected behavior. Resolution: 1. RSA crypto library is integrated for improving the SSL performance. 2. The WebProxy is modified to allow MaxClients to be increased to 2048. 3. The 'proxyctl' binary had a dependency on Virtualvault vaultWS fileset. The dependency has been removed and the macros are now defined in WebProxy. 4. A new directive is created, VVAllowAbsoluteURI, to make the propagation of absolute URIs by the Webproxy a configurable action. 5. Corrected the Apache Webproxy Server to function as expected. Enhancement: No (superseded patches contained enhancements) PHSS_29894: This patch introduces the support for AES ciphers for Webproxy server. PHSS_27441: This patch integrates BSAFE crypto library for improving SSL performance. This patch also introduces a new configuration directive to make the propagation of absolute URIs by the Webproxy a configurable action. SR: 8606374112 8606367048 8606367047 8606363846 8606322520 8606312983 8606297400 8606273289 8606272562 8606268847 8606241929 8606213134 8606205200 8606295989 8606339401 8606356238 8606355700 8606354848 Patch Files: HP_Webproxy.HPWEB-PX-CORE,fr=A.02.00,fa=HP-UX_B.11.04_32/64, v=HP: /opt/vvproxy/libexec/engine/libssl.so /etc/auth/system/files.fcdb/25.patches/29894_PHSS.fcdb /opt/vvproxy/bin/apachectl /opt/vvproxy/bin/httpd.static /opt/vvproxy/bin/httpd /opt/vvproxy/bin/proxyctl /opt/vvproxy/bin/ab /opt/vvproxy/bin/htdigest /opt/vvproxy/bin/htpasswd /opt/vvproxy/bin/logresolve /opt/vvproxy/bin/rotatelogs /opt/vvproxy/bin/proxyaffinity /opt/vvproxy/lib/libmm.sl /opt/vvproxy/lib/libmm.sl.12 /opt/vvproxy/lib/libmm.sl.12.21 /etc/auth/system/files.fcdb/25.patches/27656_PHSS.fcdb /opt/vvproxy/libexec/libhttpd.sl /opt/vvproxy/libexec/libhttpd.ep /opt/vvproxy/libexec/libssl.so /opt/vvproxy/libexec/libproxy.so /opt/vvproxy/libexec/mod_access.so /opt/vvproxy/libexec/mod_actions.so /opt/vvproxy/libexec/mod_alias.so /opt/vvproxy/libexec/mod_asis.so /opt/vvproxy/libexec/mod_auth.so /opt/vvproxy/libexec/mod_autoindex.so /opt/vvproxy/libexec/mod_cgi.so /opt/vvproxy/libexec/mod_dir.so /opt/vvproxy/libexec/mod_env.so /opt/vvproxy/libexec/mod_headers.so /opt/vvproxy/libexec/mod_imap.so /opt/vvproxy/libexec/mod_include.so /opt/vvproxy/libexec/mod_log_config.so /opt/vvproxy/libexec/mod_mime.so /opt/vvproxy/libexec/mod_negotiation.so /opt/vvproxy/libexec/mod_rewrite.so /opt/vvproxy/libexec/mod_setenvif.so /opt/vvproxy/libexec/mod_userdir.so /opt/vvproxy/libexec/mod_usertrack.so /opt/vvproxy/libexec/speedcard/libssl.so what(1) Output: HP_Webproxy.HPWEB-PX-CORE,fr=A.02.00,fa=HP-UX_B.11.04_32/64, v=HP: /opt/vvproxy/libexec/engine/libssl.so: mod_ssl/2.8.19 $Source: src/modules/ssl/ssl_util_table.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:32:10 $ $Re vision: 1.3.1.3 PATCH_11.04 (PHSS_30949) $ /etc/auth/system/files.fcdb/25.patches/29894_PHSS.fcdb: $Source: src/host/29894_PHSS.fcdb, vaultWP, vaultWP_ 2.0 $ $Date: 03/11/25 03:49:56 $ $Revision: 1.2 PATCH_11.04 (PHSS_29894) $ /opt/vvproxy/bin/apachectl: None /opt/vvproxy/bin/httpd.static: $Source: src/modules/proxy/mod_proxy.c, vaultWP, vau ltWP_2.0 $ $Date: 04/06/16 07:30:14 $ $Revis ion: 1.3.1.4 PATCH_11.04 (PHSS_30949) $ $Source: src/modules/proxy/proxy_http.c, vaultWP, va ultWP_2.0 $ $Date: 04/06/16 07:37:16 $ $Revi sion: 1.7.1.6 PATCH_11.04 (PHSS_30949) $ mod_ssl/2.8.19 $Source: src/modules/ssl/ssl_util_table.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:32:10 $ $Re vision: 1.3.1.3 PATCH_11.04 (PHSS_30949) $ $Source: src/main/http_main.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:30:01 $ $Revision: 1.5. 1.3 PATCH_11.04 (PHSS_30949) $ /opt/vvproxy/bin/httpd: $Source: src/main/http_main.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:30:01 $ $Revision: 1.5. 1.3 PATCH_11.04 (PHSS_30949) $ /opt/vvproxy/bin/proxyctl: $Source: src/admin/cgi/proxyctl/proxyctl.c, vaultWP, vaultWP_2.0 $ $Date: 03/06/05 02:12:19 $ $R evision: 1.3.1.2 PATCH_11.04 (PHSS_29230) $ /opt/vvproxy/bin/ab: None /opt/vvproxy/bin/htdigest: None /opt/vvproxy/bin/htpasswd: None /opt/vvproxy/bin/logresolve: None /opt/vvproxy/bin/rotatelogs: None /opt/vvproxy/bin/proxyaffinity: None /opt/vvproxy/lib/libmm.sl: OSSP mm 1.2.1 (28-Jul-2002) /opt/vvproxy/lib/libmm.sl.12: OSSP mm 1.2.1 (28-Jul-2002) /opt/vvproxy/lib/libmm.sl.12.21: OSSP mm 1.2.1 (28-Jul-2002) /etc/auth/system/files.fcdb/25.patches/27656_PHSS.fcdb: 63 1.2 src/host/27656_PHSS.fcdb, vaultWP, vaultWP_2. 0 08/09/02 02:11:46 /opt/vvproxy/libexec/libhttpd.sl: $Source: src/main/http_main.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:30:01 $ $Revision: 1.5. 1.3 PATCH_11.04 (PHSS_30949) $ /opt/vvproxy/libexec/libhttpd.ep: $Source: src/main/http_main.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:30:01 $ $Revision: 1.5. 1.3 PATCH_11.04 (PHSS_30949) $ /opt/vvproxy/libexec/libssl.so: mod_ssl/2.8.19 $Source: src/modules/ssl/ssl_util_table.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:32:10 $ $Re vision: 1.3.1.3 PATCH_11.04 (PHSS_30949) $ /opt/vvproxy/libexec/libproxy.so: $Source: src/modules/proxy/mod_proxy.c, vaultWP, vau ltWP_2.0 $ $Date: 04/06/16 07:30:14 $ $Revis ion: 1.3.1.4 PATCH_11.04 (PHSS_30949) $ $Source: src/modules/proxy/proxy_http.c, vaultWP, va ultWP_2.0 $ $Date: 04/06/16 07:37:16 $ $Revi sion: 1.7.1.6 PATCH_11.04 (PHSS_30949) $ /opt/vvproxy/libexec/mod_access.so: None /opt/vvproxy/libexec/mod_actions.so: None /opt/vvproxy/libexec/mod_alias.so: None /opt/vvproxy/libexec/mod_asis.so: None /opt/vvproxy/libexec/mod_auth.so: None /opt/vvproxy/libexec/mod_autoindex.so: None /opt/vvproxy/libexec/mod_cgi.so: None /opt/vvproxy/libexec/mod_dir.so: None /opt/vvproxy/libexec/mod_env.so: None /opt/vvproxy/libexec/mod_headers.so: None /opt/vvproxy/libexec/mod_imap.so: None /opt/vvproxy/libexec/mod_include.so: None /opt/vvproxy/libexec/mod_log_config.so: None /opt/vvproxy/libexec/mod_mime.so: None /opt/vvproxy/libexec/mod_negotiation.so: None /opt/vvproxy/libexec/mod_rewrite.so: None /opt/vvproxy/libexec/mod_setenvif.so: None /opt/vvproxy/libexec/mod_userdir.so: None /opt/vvproxy/libexec/mod_usertrack.so: None /opt/vvproxy/libexec/speedcard/libssl.so: mod_ssl/2.8.19 $Source: src/modules/ssl/ssl_util_table.c, vaultWP, vaultWP_2.0 $ $Date: 04/06/16 07:32:10 $ $Re vision: 1.3.1.3 PATCH_11.04 (PHSS_30949) $ cksum(1) Output: HP_Webproxy.HPWEB-PX-CORE,fr=A.02.00,fa=HP-UX_B.11.04_32/64, v=HP: 3265115705 2314626 /opt/vvproxy/libexec/engine/libssl.so 1489617847 919 /etc/auth/system/files.fcdb/25.patches/ 29894_PHSS.fcdb 3619282158 5759 /opt/vvproxy/bin/apachectl 858910841 2792933 /opt/vvproxy/bin/httpd.static 2483792326 57446 /opt/vvproxy/bin/httpd 2330081567 41037 /opt/vvproxy/bin/proxyctl 3648781281 82083 /opt/vvproxy/bin/ab 3665772933 36960 /opt/vvproxy/bin/htdigest 988042081 73896 /opt/vvproxy/bin/htpasswd 846207015 24642 /opt/vvproxy/bin/logresolve 622570912 28733 /opt/vvproxy/bin/rotatelogs 628934085 57440 /opt/vvproxy/bin/proxyaffinity 2912168635 45194 /opt/vvproxy/lib/libmm.sl 2912168635 45194 /opt/vvproxy/lib/libmm.sl.12 2912168635 45194 /opt/vvproxy/lib/libmm.sl.12.21 1574440062 720 /etc/auth/system/files.fcdb/25.patches/ 27656_PHSS.fcdb 1384823680 1092319 /opt/vvproxy/libexec/libhttpd.sl 2750393198 24637 /opt/vvproxy/libexec/libhttpd.ep 2958822094 2158402 /opt/vvproxy/libexec/libssl.so 3662073820 303498 /opt/vvproxy/libexec/libproxy.so 2051057696 20509 /opt/vvproxy/libexec/mod_access.so 1272792153 16406 /opt/vvproxy/libexec/mod_actions.so 2277895192 20526 /opt/vvproxy/libexec/mod_alias.so 3006422098 12299 /opt/vvproxy/libexec/mod_asis.so 1388240925 24602 /opt/vvproxy/libexec/mod_auth.so 3657804262 65630 /opt/vvproxy/libexec/mod_autoindex.so 985025543 32807 /opt/vvproxy/libexec/mod_cgi.so 2490752464 16404 /opt/vvproxy/libexec/mod_dir.so 4014195015 12312 /opt/vvproxy/libexec/mod_env.so 480703469 12312 /opt/vvproxy/libexec/mod_headers.so 2839334281 45112 /opt/vvproxy/libexec/mod_imap.so 4203263229 90215 /opt/vvproxy/libexec/mod_include.so 1079930708 45190 /opt/vvproxy/libexec/mod_log_config.so 3104685422 36921 /opt/vvproxy/libexec/mod_mime.so 3098636673 73838 /opt/vvproxy/libexec/mod_negotiation.so 1406910640 159957 /opt/vvproxy/libexec/mod_rewrite.so 4018996618 20513 /opt/vvproxy/libexec/mod_setenvif.so 4191588887 20498 /opt/vvproxy/libexec/mod_userdir.so 2540661399 32820 /opt/vvproxy/libexec/mod_usertrack.so 2646138551 2158402 /opt/vvproxy/libexec/speedcard/libssl.so Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_27441 PHSS_27656 PHSS_27834 PHSS_29230 PHSS_29547 PHSS_29894 PHSS_30650 PHSS_30949 Equivalent Patches: PHSS_31830: s700: 11.04 s800: 11.04 Patch Package Size: 4360 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_31829 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_31829.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_31829. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_31829.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_31829.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_31829.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: PHSS_30949: Refer to the ITRC article number CAST040621141235818 for information on potential Speedcard crypto accelerator inaccessibility problem. PHSS_29894: Refer to the ITRC article number CAST030722084603738 for information on potential Speedcard crypto accelerator inaccessibility problem. PHSS_27656: After patch installation or removal, the Webproxy server must be manually restarted. PHSS_27441: After patch installation or removal, the Webproxy server must be manually restarted. By default, absolute URI GET requests will no longer be automatically propagated by the proxy module. If it is necessary to reactivate absolute URIs to the inside network, then the directives "ProxyRequests" and "VVAllowAbsoluteURI" most both be set to "On" in the Webproxy's configuration file, /opt/vvproxy/conf/httpd.conf.