This section lists important features and enhancements provided in Web Server 6.1 SP13.
Web Server 6.1 SP12 included NSS 3.12.5, which provided relief, but not resolution, for the SSL/TLS renegotiation vulnerability CVE-2009-3555. Additionally, Web Server 6.1 SP12 disabled all use of SSL/TLS renegotiation in order to protect Web Server from attack. If either the client or Web Server attempted to trigger renegotiation on an existing SSL/TLS session, the connection would fail.
Web Server 6.1 SP13 includes NSS 3.12.7, which provides safe SSL/TLS renegotiation and so provides resolution of CVE-2009-3555. As a result, Web Server 6.1 SP13 re-enables use of SSL/TLS renegotiation. For more information about Web Server 6.1 SP13 support of NSS and NSPR, see NSS and NSPR Support.
As reported in issue 6957507, an HTTP response-splitting and XSS vulnerability was discovered in previous Web Server 6.1 versions. Web Server 6.1 SP13 corrects this vulnerability.
Web Server 6.1 SP13 includes JDK 1.6.0_21, as noted in J2SE and Java SE Support.
In response to issue 6951364, the Web Server 6.1 SP13 Admin GUI supports specifying a 2048–bit key size when generating a CSR (Certificate Signing Request) when using Security ⇒ Request a Certificate.
In response to issue 6922063, Web Server 6.1 SP13 sets the default value of Cryptographic Module in the Admin GUI Security ⇒ Request a Certificate to “internal”. Additionally, the “NSS Generic Crypto Services” option has been removed.
In response to issue 6972686, the “Request Verisign Certificate” and “Install Verisign Certificate” commands have been removed from the Security tab of the Admin GUI.
For Web Server 6.1 SP13, Corrections and Updates to 6.1 SP12 Manuals has been updated to address the following documentation issues.
Issue ID |
Description |
---|---|
6938886 |
Wrong information of supportable methods should be removed in the Setting Access Rights |
6940796 |
net_read can set EAGAIN in errno when it times out. |
6966631 |
Statement for PathCheck is not correct. |
6973013 |
web 6.1 doc bug - need to remove the "-" in schedulerd command line stop - "- rm $PID_FILE" |
6977268 |
web 6.1 and 7.0 doc RFE - all request header names are returned as lowercase |