Sun Java System Web Server 6.1 SP12/SP13 Release Notes

Features and Enhancements in 6.1 SP13

This section lists important features and enhancements provided in Web Server 6.1 SP13.

Updated Versions of NSS and NSPR, Resolving SSL/TLS Vulnerability CVE-2009-3555

Web Server 6.1 SP12 included NSS 3.12.5, which provided relief, but not resolution, for the SSL/TLS renegotiation vulnerability CVE-2009-3555. Additionally, Web Server 6.1 SP12 disabled all use of SSL/TLS renegotiation in order to protect Web Server from attack. If either the client or Web Server attempted to trigger renegotiation on an existing SSL/TLS session, the connection would fail.

Web Server 6.1 SP13 includes NSS 3.12.7, which provides safe SSL/TLS renegotiation and so provides resolution of CVE-2009-3555. As a result, Web Server 6.1 SP13 re-enables use of SSL/TLS renegotiation. For more information about Web Server 6.1 SP13 support of NSS and NSPR, see NSS and NSPR Support.

HTTP Response-Splitting and XSS Vulnerability Resolved

As reported in issue 6957507, an HTTP response-splitting and XSS vulnerability was discovered in previous Web Server 6.1 versions. Web Server 6.1 SP13 corrects this vulnerability.

Updated Version of JDK

Web Server 6.1 SP13 includes JDK 1.6.0_21, as noted in J2SE and Java SE Support.

Support for 2048–Bit Key Size in CSR

In response to issue 6951364, the Web Server 6.1 SP13 Admin GUI supports specifying a 2048–bit key size when generating a CSR (Certificate Signing Request) when using Security ⇒ Request a Certificate.

Default Cryptographic Module Set to “Internal” in CSR

In response to issue 6922063, Web Server 6.1 SP13 sets the default value of Cryptographic Module in the Admin GUI Security ⇒ Request a Certificate to “internal”. Additionally, the “NSS Generic Crypto Services” option has been removed.

Verisign Certificate Options Removed from Admin GUI

In response to issue 6972686, the “Request Verisign Certificate” and “Install Verisign Certificate” commands have been removed from the Security tab of the Admin GUI.

Documentation Corrections and Updates

For Web Server 6.1 SP13, Corrections and Updates to 6.1 SP12 Manuals has been updated to address the following documentation issues.

Issue ID 

Description 

6938886 

Wrong information of supportable methods should be removed in the Setting Access Rights 

6940796 

net_read can set EAGAIN in errno when it times out. 

6966631 

Statement for PathCheck is not correct. 

6973013 

web 6.1 doc bug - need to remove the "-" in schedulerd command line stop - "- rm $PID_FILE" 

6977268 

web 6.1 and 7.0 doc RFE - all request header names are returned as lowercase