Hornbill Core Services Version 3.1.4 Release Notes

Introduction

Welcome to the Core Services Version 3.1.4 maintenance release, which is a minor upgrade focussing on Web-server security. Whatever version of Supportworks ESP you may be running, you will benefit from the extra security advantages offered by an upgrade to this release of Core Services.

When upgrading this software package from any previous release, you simply install the new version directly over that previous version. Be aware that the upgrade will automatically back up your existing Apache configuration file (httpd.conf) and install a new one in its place. Therefore, if you have customised your configuration, you will need to migrate those changes from the backup into the new httpd.conf file. Remember that any changes you make to the httpd.conf file will require a restart of the SwHttpServer service.

As always, if you encounter any problems or would like to ask questions about your specific installation before or after upgrading, please contact Hornbill's Technical Support Team on +44 208 582 8228 or by e-mail at support@hornbill.com.

NOTE ABOUT MULTIPLE PHP INSTALLATIONS: Problems have been encountered with conflicts between Core Services and independent installations of PHP (PHP 5 in particular). In one case, this was because PHP 5 was in the directory path given by theĀ %path% environment variable, and therefore the Core Services version of PHP may have used some of the files in this path. For this reason, it is not recommended to have separate versions of PHP installed on the same server as Core Services. This should be a consideration when diagnosing problems relating to the display of PHP pages in Web browsers or the Supportworks client.

IMPORTANT NOTE ABOUT BACKUPS: Before applying any upgrade to your live system, please ensure that you have a full backup of your Core Services, complete with database.

WARNING ABOUT EX-CONTRACT UPGRADES: If you attempt to apply this upgrade to a system and you do not have a current Supportworks or Assetworks support/maintenance contract, the upgraded system may fail to operate after the installation is complete and it would be your responsibility to restore your previous installation from your backup. Check that you have a valid support/maintenance contract before applying this upgrade.

Important Windows Requirement Pertaining to this Release

Onwards 3.1.4 release, Windows Server 2000 is no longer supported. Additionally a dependency to Microsoft Visual C++ 2008 SP1 Redistributable Package has been added. The installer will automatically deploy the package during the installation.

In order to be able to run the SwHttpServer service (specifically, its php4apache2 module), the Microsoft Windows run-time "side-by-side" executable MSVCR80.dll is required. This has been shipped in most versions of the Windows operating system (and other Windows components since Windows 2000), but not in a minimal install of Windows 2003 R2.

You can check for the presence of this DLL either before you install/upgrade Core Services, or afterwards should you encounter an error that may be due to its absence. If you are upgrading from version 3.1.2, the DLL will already exist on your system.

To check for the DLL prior to installation or upgrade, you can search for "MSVCR80.dll" within the Windows\WinSxS folder. (Note that, depending on the Windows version and your installed software, it is possible for multiple instances/versions of the DLL to exist, but this would not matter - you only need to ensure that you have at least one.)

After the installation or upgrade, if SwHttpServer fails to start because of the DLL's absence, you would see an error entry in the Windows System event log whose description reads "Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system".

If you find that the DLL is not present, you should install it. The required Microsoft distribution package is located here:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5638

It can be installed without the need for a reboot.

Further information on Windows side-by-side assemblies and WinSxS can be found at the following locations:

http://msdn.microsoft.com/en-us/library/aa376307%28VS.85%29.aspx
http://omnicognate.wordpress.com/2009/10/05/winsxs/

If you are performing an upgrade on Core Services 3.1.4 make sure that all the tools shipped are not being used during the time of the install. If not the installer will ask you to restart the machine to complete the installation. If User Access Control is active, upon restart the installation will encounter problems finishing the installation.

To avoid these problems 3.1.4 installer will automatically terminate all instances of the tools shipped with Core Services. If you are trying to upgrade to an older release or continue to experience this issue in 3.1.4, disable User Access Control on the operating system for the installation of Core Services and re-enable after the installation has finished.

New and Improved in Version 3.1.4

Apache HTTP Server (SwHttpServer) Upgraded to Version 2.2.29 with OpenSSL Version 1.0.1j

This release of Core Services includes the latest compatible versions of Apache (2.2.29) and OpenSSL (1.0.1j) at the time of release. The versions of PHP and MySQL remain unchanged from Core Services 3.1.3.

Apache Version 2.2.29 is mainly a security and bug-fix update. For full details, please visit:

http://www.apache.org/dist/httpd/Announcement2.2.html

To avoid some errors that might occur with the web client after upgrading, we recommend disabling IPv6 addresses on your Apache configuration file. These configuration changes will be applied to the default Listen Directives (80 and 443) during an upgrade, if the default settings have not been modified. In that case or if you have added more directives, we would advise you to modify them, following these instructions, to disable IPv6 addresses:

http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen

The suggested configuration for apache, that disables SSL 3.0 on the server and eliminates the underlying issue with the POODLE threat, also needs some configuration changes on Internet Explorer settings in order for Supportworks and Web client to work correctly. Instructions on how to apply these changes can be found here:

https://technet.microsoft.com/en-gb/library/security/3009008.aspx#ID0EMG

Fixed in Version 3.1.4

  • F0091961 - Core Services installer may fail to perform an upgrade.
  • F0091955 - Apache and OpenSSL must be upgraded into latest versions, that are safe from Poodle attacks.
  • F0091954 - Core Services Installation Should not require a Licence key to proceed the installation.
  • F0089025 - The Core Services installer does not remove the phpinfo.php file during an upgrade, causing a potential security risk.
  • F0072508 - Any queries, launched using the Database Query tool, that give rise to very long result values cause the tool to crash.
  • F0072507 - The Export Resultset function of the Database Query tool fails to export columns correctly.

New and Improved in Version 3.1.3

Apache HTTP Server (SwHttpServer) Upgraded to Version 2.2.22 with OpenSSL Version 0.9.8t

This release of Core Services includes the latest compatible versions of Apache (2.2.22) and OpenSSL (0.9.8t) at the time of release. The versions of PHP and MySQL remain unchanged from Core Services 3.1.2.

Apache Version 2.2.22 is mainly a security and bug-fix update. For full details, please visit:

http://www.apache.org/dist/httpd/Announcement2.2.html

Fixed in Version 3.1.3

  • F86948 - The first 200 lines of php.ini (in C:\Program Files\Hornbill\Core Services\SwHttpServer\bin) were duplicated following the upgrade to Version 3.1.2 of Core Services. If you are upgrading to Version 3.1.3 from that version, you should delete that file before the upgrade, and you will then have an uncorrupted copy.

New and Improved in Version 3.1.2

Apache HTTP Server (SwHttpServer) Upgraded to Version 2.2.21 with OpenSSL Version 0.9.8r

This release of Core Services includes the latest compatible versions of Apache (2.2.21) and OpenSSL (0.9.8r) at the time of release. The versions of PHP and MySQL remain unchanged from Core Services 3.1.1.

Apache Version 2.2.21 is mainly a security and bug-fix update.

Apache HTTP Server Hardening Configuration Settings Applied

Certain elements of server hardening, from among those suggested in the FAQ entitled Apache Web Server Hardening, have been incorporated into the Apache server's configuration file (httpd.conf). The three elements concerned are as follows:

  • Limiting Disclosure of Header/Footer Information
  • Avoiding Disclosure of Internal IP Addresses
  • Disabling HTTP Track/Trace

We have included these security settings in the default configuration as they are universally applicable irrespective of your particular environment. If you wish to further harden your Apache server, you are advised to follow some of the other recommendations given in the FAQ mentioned above. This FAQ is available from the Hornbill SelfService website:

http://hsml.myservicedesk.com/selfservice/

For added security, you should consider replacing the self-certified certificate included in this release with one purchased from a recognised CA authority. In addition, you should use the Analyst Portal, Web SelfService (and Web Client, if you are on Supportworks 7.5 and above) over SSL.

Fixed in Version 3.1.2

Nothing.

New and Improved in Version 3.1.1

Nothing. The sole purpose of this patch release was to resolve some issues with Version 3.1.0 and with the installation of the software (as described below). However, please note the following component updates:

Apache HTTP Server (SwHttpServer) has been upgraded to Version 2.0.63

PHP has been upgraded to Version 4.4.9

Fixed in Version 3.1.1

  • F66198 - The system ID needed to license Core Services/Supportworks would be generated inconsistently on Windows Vista machines.
  • F71807 - An error would be displayed on installing Supportworks 7.3.7 on Windows 2000 SP 4.
  • F72507 - The Export Resultset function of the Supportworks SQL Query tool would fail to export columns correctly.
  • F72508 - Any queries, launched using the Supportworks SQL Query tool, that gave rise to very long result values would cause the tool to crash.

New and Improved in Version 3.1.0

Hornbill Core Services Admin Service

We have developed, as part of Core Services, a new Windows NT service called SwAdminService. In the future, this will replace a number of server-side utilities and their respective GUIs with a unified Web-browser-based server administration facility, thus simplifying the development cycles of any required server-side administration functions.

XSLT Functionality Enabled

On new installations only, php_xslt has been enabled, allowing XSLT to be used from within PHP. This will support server-side data transformations in the future, used for printing, document merging and other general data-transformation tasks.

PHP XML_DOM Support

We are now preconfiguring the supplied PHP extension DLL (php_domxml.dll) so that it is ready for use.

SSPI Support

We are now supplying, as part of Core Services, the module mod_auth_sspi, and have set up the Apache server to enable it. This module allows the configuration of pass-through logins in a Microsoft environment (NTLM authentication).

"Magic Quotes" PHP Directives Disabled

We have now disabled magic quotes by default in the php.ini file as follows:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

These settings turn off some rather undesirable behaviour in PHP. Any backslash escapes required in the PHP code should instead be implemented at the relevant points using addslashes(). The active pages in Supportworks that used to depend on the magic quotes directives being enabled have all since been modified and no longer need these settings to be on.

Fixed in Version 3.1.0

  • F53851 - The openssl.cnf file included in the Core Services Version 3.0.0/3.0.1 release had a default password specified, which meant that it did not initially request a password during the generation of new SSL keys. This would cause confusion when the password is requested later on in the process. The openssl.cnf file will NOT be overwritten as part of the Core Services upgrade from Version 3.0.0/3.0.1 to this version because you may have modified this and we do not want to overwrite your changes. If the fix needs to be applied to an existing installation of Version 3.0.0/3.0.1, the new openssl.cnf file can be obtained from the Hornbill forum in the Core Services section and used to overwrite the local copy. This fix will only be required if you need to generate your own SSL keys using the Core Services distribution.
  • F53909 - Chart Director was not getting properly upgraded as part of the Core Services upgrade process, which meant that graphs would not be displayed properly in reports and on the Supportworks active pages. Chart Director has now been upgraded to Version 4.1, which resolved the upgrade problems.

New and Improved in Version 3.0.1

Nothing. The sole purpose of this release was to resolve some issues with the installation of Version 3.0.0 (as described below).

Fixed in Version 3.0.1

Fixes have been implemented in Version 3.0.1 for the following problems:

  • There were some issues with SSL files not being correctly installed.
  • There were some problems where the Services page on the installer would hang depending upon differing states of the services it encountered. For example, it would hang if the HTTP service was not started when the upgrade was run.
  • The example SSL keys for the HTTP service lasted only ten days. These have been updated to last until 2010. Nevertheless, to maintain security, you should create your own keys as soon as possible after installing.
  • The SSL virtual host configuration was not preconfigured for use on a clean installation.
  • The configuration in the php.ini file for the Zend Optimiser was not getting properly upgraded, which resulted in jumbled active PHP pages appearing in the client.

New and Improved in Version 3.0.0

Apache HTTP Server (SwHttpServer) has been upgraded to Version 2.0.59
This is mainly a security update. For full details, please visit:
http://www.apache.org/dist/httpd/Announcement2.0.html

PHP has been upgraded to Version 4.4.4
This is mainly a security update. For full details, please visit:
http://www.php.net/ChangeLog-4.php

Zend Optimizer has been upgraded to Version 3.0.1
This was upgraded to fully support PHP Versions 4.4.x. For full details, please visit:
http://www.zend.com/products/zend_optimizer

OpenSSL Version 0.9.8d support has been added
This is now configured to work with Apache out of the box on a fresh installation but, because we do not want the upgrade to overwrite any modifications that you may have made to your existing installation, a small amount of manual modification will need to be done to the Apache configuration file to enable this support when you upgrade from previous versions of Core Services. Details of this manual modification can be found in an FAQ entitled "SSL Support" in the Hornbill Support Forum (under Hornbill Core Services).

The Supportworks PHP extension DLL
This has been extended to allow us to support formatted date/time fields for all internationalisations in the Supportworks active pages.

Hornbill Core Services Release History

Version Release Date
3.1.4 05 January 2015
3.1.3 08 May 2012
3.1.2 05 December 2011
3.1.1 16 February 2009
3.1.0 03 July 2007
3.0.1 23 January 2007
3.0.0 04 January 2007