Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 7.0. The following is a complete listing of fixes for Version 7.0 with the most recent fix at the top.
Content
 | Back to all versions |
Note: There is no Fix Pack 1 delivered for IBM HTTP Server. Fix Pack 3 is the first maintenance Fix Pack delivered for IBM HTTP Server V7.0, then odd numbered Fix Packs going forward.
| Fix release date: 30 April 2018 Last modified: 30 April 2018 Status: Recommended  Download Fix Pack 45 | |
| APAR | Description |
| PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
| PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
| PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
| PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
| PI91913 | CVE-2018-1388 for IBM HTTP Server (ROBOT for GSKit). http://www-01.ibm.com/support/docview.wss?uid=swg22014196 |
| PI75341 | /server-status doesn't display client IP until first request is read |
| PI76757 | Allow SSL handshake transcripts to be enabled or disabled |
| PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error. |
| PI78767 | HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier. |
| PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) |
| PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names |
| PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) |
| PI83257 | Reduce memory usage from long mod_rewrite configurations. |
| PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) |
| PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. |
| PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials (z/OS only) |
| PI85804 | Improve password failure error messages in authnz_saf (z/OS only) |
| PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. |
| PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. (z/OS only) |
| PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. |
| PI89257 | Error opening new SSL keystores with IHS 7.0 |
| PI91075 | Add environment variable to record "SSLVersion" failure |
| PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. |
| PI93619 | Upgrade bundled GSKit security library (GSKit upgrade to 7.0.5.15) |
Note: IBM HTTP Server 7.0.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
| Fix release date: 24 April 2017 Last modified: 24 April 2017 Status: Superseded  Download Fix Pack 43 | |
| APAR | Description |
| PI63098 | CVE-2016-0718 for IBM HTTP Server (Distributed only) http://www-01.ibm.com/support/docview.wss?&uid=swg21988026 |
| PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
| PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
| PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21996847 |
| PI56034 | No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS. |
| PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) |
| PI58218 | IBM HTTP Server mod_cache fixes. |
| PI59561 | Add pre/post password hooks to mod_authnz_saf. (z/OS only) |
| PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) |
| PI63482 | Add a private header with password change information for 401 response. |
| PI63682 | IHS mod_status displays many 'NULL' strings in request column. |
| PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) |
| PI66695 | mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed' |
| PI66787 | Session cache daemon (sidd) memory leak |
| PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) |
| PI70024 | Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging |
| PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. |
| PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes |
| PI72027 | IHS rewrite rule on IPV6 does not redirect correctly. |
| PI72350 | Potential crash in mod_mem_cache in IHS 8.5 and earlier. |
| PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf |
Note: IBM HTTP Server 7.0.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32.
| Fix release date: 11 April 2016 Last modified: 11 April 2016 Status: Superseded  Download Fix Pack 41 | |
| APAR | Description |
| PI45005 | Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid |
| PI46616 | Allow RewriteRule to use colon (':') in header names and values |
| PI46868 | REXX CGI'S may display as text in the browser |
| PI47198 | IHS caching partial response for chunked responses |
| PI47445 | IHS V7.0 and V8.0 fail to start when using CharsetOptions NoImplicitAdd. (z/OS only) |
| PI47642 | Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel |
| PI47828 | IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only) |
| PI48695 | DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only) |
| PI49165 | Add new request time logging formats |
| PI49473 | IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin |
| PI49718 | Improve error_log reporting for 'SSLProxyEngine' handshake errors |
| PI49791 | Add the IfFile directive to allow processing directives based on file existance |
| PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) |
| PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) |
| PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries |
| PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching |
| PI52299 | TLS_FALLBACK_SCSV support for IBM HTTP Server |
| PI54415 | Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error |
| PI54757 | Delay allocating an IHS thread until data is available on a new inbound TCP connection. |
| PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded |
Note: IBM HTTP Server 7.0.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 02 November 2015 Last modified: 02 November 2015 Status: Superseded  Download Fix Pack 39 | |
| APAR | Description |
| PI34229 | Disable RC4-based TLS ciphers by default in IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21701072 |
| PI36417 | CVE-2015-0138 for IBM HTTP Server (GSKit upgrade to 7.0.5.5) http://www-01.ibm.com/support/docview.wss?uid=swg21698959 |
| PI39833 | CVE-2015-1829 for IBM HTTP Server on Windows http://www-01.ibm.com/support/docview.wss?uid=swg21959081 |
| PI42928 | CVE-2015-3183: Incorrect parsing of chunked headers http://www-01.ibm.com/support/docview.wss?uid=swg21963361 |
| PI44793 | CVE-2015-4947 in IBM HTTP Server Administration Server http://www-01.ibm.com/support/docview.wss?uid=swg21965419 |
| PI45596 | CVE-2015-1283 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21964428 |
| PI33527 | SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF' |
| PI34017 | HTTP error 413 on static files results in a duplicate error message. |
| PI35073 | IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in. |
| PI35219 | ABEND0C1 when running install_ihs |
| PI38322 | Allow mod_cache to ignore an 'Authorization' HTTP request header. |
| PI38562 | CGI resources are briefly unavailable just after a restart |
| PI38828 | Enable unified config dump |
| PI38835 | IBM HTTP Server cannot log time-to-first-byte (TTFB) |
| PI40952 | Preserve quoting in SSLServerCert directive |
| PI45740 | Encoding error on RewriteRule |
Note: IBM HTTP Server 7.0.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 13 March 2015 Last modified: 13 March 2015 Status: Superseded  Download Fix Pack 37 | |
| APAR | Description |
| PI31516 | CVE-2014-8730: Enable strict CBC padding checks on TLS connections http://www-01.ibm.com/support/docview.wss?&uid=swg21697369 |
| PI27904 | IBM HTTP Server should disable weak SSL protocols and ciphers by default |
| PI23005 | Allow logging of time taken during SSL handshake |
| PI24257 | 'Header edit* ...' directive not accepted by IBM HTTP Server |
| PI25783 | Fatal getpwuid() error at IBM HTTP Server startup (z/OS only) |
| PI26507 | mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only) |
| PI28735 | ErrorDocument redirection for status code 414 (Request URI too long) does not work |
| PI30093 | Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server global configuration |
| PI31566 | Allow IBM HTTP Server RLimit* directives to reduce hard limits |
Note: IBM HTTP Server 7.0.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 13 October 2014 Last modified: 13 October 2014 Status: Superseded  Download Fix Pack 35 | |
| APAR | Description |
| PI22070 | Multiple Apache web server vulnerabilities: CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core) http://www-01.ibm.com/support/docview.wss?&uid=swg21684612 |
| PI17434 | SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only) |
| PI19581 | IBM HTTP Server modules specified without a path don't load |
Note: IBM HTTP Server 7.0.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 23 June 2014 Last modified: 23 June 2014 Status: Superseded  Download Fix Pack 33 | |
| APAR | Description |
| PI05309 | CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI09345 | CVE-2013-6438: Potential Denial of Sevice in mod_dav for IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI09443 | CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI13028 | CVE-2014-0098: mod_log_config - Potential denial of service vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI17025 | CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PM97650 | IBM HTTP Server does not send SIGTERM to fastCGI application |
| PI06366 | IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6 |
| PI08502 | Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade). |
| PI08715 | Potential mod_proxy crashes under load |
| PI15344 | IBM HTTP Server caching issues |
| PI16599 | Authentication failure gives LDAP error for non-LDAP configurations |
Note: IBM HTTP Server 7.0.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.
| Fix release date: 13 January 2014 Last modified: 13 January 2014 Status: Superseded  Download Fix Pack 31 | |
| APAR | Description |
| PM87808 | CVE-2013-1862: mod_rewrite vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21661323 |
| PM89996 | CVE-2013-1896: mod_dav vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21661323 |
| PM84215 | mod_mpmstats may report incorrect values during startup or shutdown |
| PM89422 | IHS WebDAV requests slow on Windows. |
| PM94008 | Timed-out ldap bind and search failures on reused connections are not retried |
| PM94143 | Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only) |
| PM94602 | ProxyRemote fails to work with SSL requests |
| PM96039 | The AcceptEx disablement notice should not appear in Windows Event Viewer |
Note: IBM HTTP Server 7.0.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.
| Fix release date: 24 June 2013 Last modified: 24 June 2013 Status: Superseded  Download Fix Pack 29 | |
| APAR | Description |
| PM76110 | CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down |
| PM80058 | CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360 |
| PM85211 | CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 |
| PM75876 | The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules. |
| PM77980 | IBM HTTP Server should not add the Server: header by default |
| PM78087 | IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI} |
| PM78144 | IBM HTTP Server large logformats cannot be correctly logged by piped loggers |
| PM79015 | mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed' |
Note: IBM HTTP Server 7.0.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
| Fix release date: 21 January 2013 Last modified: 21 January 2013 Status: Superseded  Download Fix Pack 27 | |
| APAR | Description |
| PM70591 | IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.' |
| PM70994 | SSLFakeBasicAuth depends on LoadModule order |
| PM71102 | <Location> settings don't affect some mod_negotiation generated content |
| PM73304 | Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server |
Note: IBM HTTP Server 7.0.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
| Fix release date: 24 September 2012 Last modified: 24 September 2012 Status: Superseded  Download Fix Pack 25 | |
| APAR | Description |
| PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site. |
| PM62011 | mod_log_config: The wrong cookie can be logged |
| PM66218 | Upgrade bundled GSKit security library |
Note: IBM HTTP Server 7.0.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
| Fix release date: 28 May 2012 Last modified: 28 May 2012 Status: Superseded  Download Fix Pack 23 | |
| APAR | Description |
| PM52351 | CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections. https://exchange.xforce.ibmcloud.com/vulnerabilities/73749 |
| PM55760 | CVE-2012-0031: Possible parent process crash when untrusted code is run in child. https://exchange.xforce.ibmcloud.com/vulnerabilities/72377 |
| PM56128 | CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site. https://exchange.xforce.ibmcloud.com/vulnerabilities/72758 |
| PM58899 | CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup https://exchange.xforce.ibmcloud.com/vulnerabilities/74901 |
| PM53340 | Incorrect request body handling with Expect: 100-continue. |
| PM54289 | install_ihs script results in errors in the postinstall process. (z/OS only) |
| PM54387 | ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only) |
| PM56585 | mod_authnz_ldap can generate many unnecessary ldap queries while processing 'Require group' |
| PM57197 | Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules. |
| PM58545 | mod_perl build cannot find "OPT_INCNOEXEC" in IHS 7.0 |
Note: IBM HTTP Server 7.0.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.
| Fix release date: 16 January 2012 Last modified: 16 January 2012 Status: Superseded  Download Fix Pack 21 | |
| APAR | Description |
| PM46234 | CVE-2011-3192: Potential Denial of Service with malicious range requests https://exchange.xforce.ibmcloud.com/vulnerabilities/69396 |
| PM47852 | CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. |
| PM48384 | CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together. |
| PM50426 | CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub) |
| PM43037 | ProxyPass broken due to ebcdic to ascii translation issue with interim response headers |
| PM43354 | No error message for rotatelogs syntax errors |
| PM44635 | IHS returns 500 instead of 401 for a revoked SAF userid |
| PM44816 | Provide end-to-end timeouts for slow requests |
| PM45618 | IHS threads can hang in ldap_bind() without any timeout |
| PM47429 | IHS mod_ldap fails at runtime with 'SSL support failed initialization' |
| PM49573 | IHS startup failure on Windows: 'master_main: create child process failed.' |
Note: IBM HTTP Server 7.0.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.
| Fix release date: 12 September 2011 Last modified: 12 September 2011 Status: Superseded  Download Fix Pack 19 | |
| APAR | Description |
| PM38826 | CVE-2011-0419 apr_fnmatch() routine can result in high CPU with use of mod_autoindex https://exchange.xforce.ibmcloud.com/vulnerabilities/67414 |
| PM27886 | Upgrade bundled GSKit security library including secure SSL renegotiation |
| PM31189 | URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes On |
| PM35469 | Network fragmentation occurs with SSL and mod_deflate |
| PM37261 | Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix |
| PM37405 | mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired |
| PM38313 | Piped loggers that continuously restart cause pipe and file descriptor leaks |
Note: IBM HTTP Server 7.0.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.19.
| Fix release date: 16 May 2011 Last modified: 16 May 2011 Status: Superseded  Download Fix Pack 17 | |
| APAR | Description |
| PM26041 | SSL forward proxy closes idle connections during graceful process exit |
| PM31763 | 'Header edit' deletes multiple headers |
Note: IBM HTTP Server 7.0.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.
| Fix release date: 28 February 2011 Last modified: 28 February 2011 Status: Superseded  Download Fix Pack 15 | |
| APAR | Description |
| PM23263 | CVE-2010-1623: apr-util vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/62235 |
| PM24234 | CVE-2009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem https://exchange.xforce.ibmcloud.com/vulnerabilities/54598 https://exchange.xforce.ibmcloud.com/vulnerabilities/52686 |
| PM20672 | IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string |
| PM20934 | "MaxClients reached" message can occur prematurely |
Note: IBM HTTP Server 7.0.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.
| Fix release date: 25 October 2010 Last modified: 25 October 2010 Status: Superseded  Download Fix Pack 13 | |
| APAR | Description |
| PM16366 | CVE-2010-2068: mod_proxy_http vulnerability for Windows platform |
| PM18904 | CVE-2010-1452: mod_dav vulnerability |
| PM00138 | mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI |
| PM14028 | mod_deflate: Invalid Etag emitted |
| PM15623 | mod_ldap and mod_authnz_ldap: Nested group failures |
| PM17269 | When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level |
Note: IBM HTTP Server 7.0.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.16.
| Fix release date: 18 June 2010 Last modified: 18 June 2010 Status: Superseded  Download Fix Pack 11 | |
| APAR | Description |
| PM08939 | CVE-2010-0434: mod_headers / CVE-2010-0408 |
| PM07113 | Update GSKit to 7.0.4.28 |
| PM04628 | gsk7cmd/gsk7capicmd parsing error on '-dn' <dist name> for organization unit (O=) with a space in the name |
| PM07976 | apachectl start or stop can fail in some locales (z/OS only) |
| PM09819 | IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment |
| PM10270 | IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used |
Note: IBM HTTP Server 7.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.15.
| Fix release date: 29 March 2010 Last modified: 29 March 2010 Status: Superseded  Download Fix Pack 9 | |
| APAR | Description |
| PK96858 | CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/53041 |
| PM00675 | CVE-2009-3555: TLS/SSL protocol MITM vulnerability More info |
| PK92520 | Request for a URI with a long file path can fail on z/OS |
| PK96600 | Prevent runaway forking if the accept mutex is damaged |
| PK94007 | mod_mem_cache: segmentation fault |
| PK95497 | IBM HTTP Server may fail to ignore some cache related headers even when CacheIgnoreHeaders is configured |
| PK96410 | Intermittent error reading status line with http proxy |
| PK96500 | mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses |
| PK97740 | IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period |
| PK98225 | Cache responses with s-maxage set |
| PK99128 | IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root |
| PM00101 | GSKit crash on Microsoft Windows 32bit or AIX operating systems plus purify |
| PM00136 | "apachectl stop" fails if the z/OS resolver is down |
Note: IBM HTTP Server 7.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.14.
| Fix release date: 13 November 2009 Last modified: 13 November 2009 Status: Superseded  Download Fix Pack 7 | |
| APAR | Description |
| PK88341 | CVE-2009-0023: Underflow in apr_strmatch_precompile & CVE-2009-1956: apr_brigade_vprintf off-by-one overflow vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50964 |
| PK88342 | CVE-2009-1955: apr_xml_* interface vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50994 |
| PK91259 | CVE-2009-1890: mod_proxy_http vulnerability |
| PK91361 | CVE-2009-1891: mod_deflate vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/51626 |
| PK93225 | CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers |
| PK87590 | %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive |
| PK87717 | mod_charset_lite translates inbound HTTP request bodies |
| PK90571 | When HTTP Server is configured to use SSL reverse proxy, segmentation faults may occur |
| PK93106 | Cannot configure IHS response to unknown revocation status via OCSP |
| PK93112 | Disable SSLv3 protocol when SSLFIPSEnable is configured |
| PK93510 | Piped errorlog loses initialization error message |
Note: IBM HTTP Server 7.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.13.
| Fix release date: 27 July 2009 Last modified: 27 July 2009 Status: Superseded  Download Fix Pack 5 | |
| APAR | Description |
| PK86232 | CVE-2009-1195: 'AllowOverride Options=IncludesNOEXEC' allows override of includes with exec https://exchange.xforce.ibmcloud.com/vulnerabilities/50808 |
| PK77458 | Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server |
| PK78007 | When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged |
| PK78073 | Can't configure mod_charset_lite to translate only mod_autoindex output |
| PK78299 | Allow startup of IBM Administration Server by a non-root userid |
| PK78333 | Translate 100-Continue responses to ASCII |
| PK79583 | LDAP retry logic insufficient on transient LDAP errors |
| PK79915 | Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates |
| PK81016 | mod_proxy_ftp cannot serve files with wildcards in their names |
| PK81733 | mod_authnz_ldap can't pass filter simple enough to support SDBM-backed LDAP (RACF over LDAP) |
| PK83734 | Can't create CMS keyfile with IHS 7.0 from 64-bit Supplemental media on z/Linux |
| PK84899 | Failure and crash in IHS Administration Server during stop operation |
Note: IBM HTTP Server 7.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.
| Fix release date: 27 March 2009 Last modified: 27 March 2009 Status: Superseded  Download Fix Pack 3 | |
| APAR | Description |
| PK72236 | mod_charset_lite suppresses some browser error messages |
| PK74791 | SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake |
Note: IBM HTTP Server 7.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.
[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.45;7.0.0.43;7.0.0.41;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.3;7.0.0.29;7.0.0.27;7.0.0.25;7.0.0.23;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.45;7.0.0.43;7.0.0.41;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.3;7.0.0.29;7.0.0.27;7.0.0.25;7.0.0.23;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
07 September 2022
UID
swg27014506