SI40533 - HTTPSVR - Patch Apache Vulnerability CVE-2010-2068

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

HTTPSVR - Patch Apache Vulnerability CVE-2010-2068


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
CO   5761DG1  610  SI35764   NONE     0000
CO   5761DG1  610  SI35768   NONE     0000
CO   5761DG1  610  SI35263   NONE     0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
Update IBM HTTP Server for i to comply with security
vulnerabilities listed
on the Apache Software Foundation Website to maintain PCI
compliance.

CORRECTION FOR APAR SE44231 :
-----------------------------
This PTF will update security vulnerabilities in the IBM HTTP
Server for i
(powered by Apache) to maintain PCI compliance.

CIRCUMVENTION FOR APAR SE44231 :
--------------------------------
None.


DESCRIPTION OF PROBLEM FIXED FOR APAR SE44398 :
-----------------------------------------------
Update IBM HTTP Server for i to comply with security
vulnerabilities listed
on the Apache Software Foundation Website to maintain PCI
compliance.

CORRECTION FOR APAR SE44398 :
-----------------------------
This PTF will update security vulnerabilities in the IBM HTTP
Server for i
(powered by Apache) to maintain PCI compliance.

CIRCUMVENTION FOR APAR SE44398 :
--------------------------------
None.


Activation Instructions


None.


Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI35822 :
=================================================

This PTF will be activated for a HTTP server when that server instance
is ended and started, or at the next IPL.  If an HTTP server is already
active at the time this PTF is applied, the HTTP server must be ended
and started in order to activate this PTF for that HTTP server
instance.

Do the following to activate this PTF for all HTTP server
instances.

1. ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ALL)
2. Start the HTTP server(s) using:
STRTCPSVR SERVER(*HTTP) HTTPSVR(<server name>)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI35767 :
=================================================

This PTF will be activated for a HTTP server when that server instance
is ended and started, or at the next IPL.  If an HTTP server is already
active at the time this PTF is applied, the HTTP server must be ended
and started in order to activate this PTF for that HTTP server
instance. If the HTTP server(s) are not restarted, CGI programs will
not run successfully until after the HTTP server instances have been
restarted.

Do the following to activate this PTF for all HTTP server
instances.
1. ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ALL)
2. Start the HTTP server(s) using:
STRTCPSVR SERVER(*HTTP) HTTPSVR(<server name>)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI31044 :
=================================================

The following directions apply to HTTP servers that were already
associated with a WebSphere Application Server Version 6.0 before
upgrading to V6R1. You must do these steps before starting the
servers:
1. Apply PTF 5733-W60 SI29611.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI40136      HTTPSVR - Update Input Translation Filter
   SI39623      HTTPSVR - MSGMCH1207 HTTP SERVER ISSUING MCH1207
   SI38829      HTTPSVR - F/MOD_CGI MCH6902 MCH0601
   SI38829      HTTPSVR - Trace Logging Update
   SI38829      HTTPSVR - Patch Apache Vulnerability CVE 2010 0434
   SI38418      HTTPSVR - ERRORS LOGGED IN ACCESS LOG
   SI37942      HTTPSVR - Diagnostic CPF22E7 Error Message
   SI37838      Integrity Problem
   SI37511      HTTPSVR - QZSRCORE SSI printenv is not working for the SSL p
   SI37277      HTTPSVR - Update IBM HTTP Server Directives
   SI36869      HTTPSVR - INCORROUT WITHIN APACHE EXTENDED LOG, SYSTEM IDENT
   SI36620      HTTPSVR-F/QZSRAPR-T/QZSRCORE-MSGHTP8005 LOGFORMAT DIRECTIVE
   SI36620      HTTPSVR - Patch Apache Vulnerability CVE 2008 2364
   SI36620      HTTPSVR-THREADS-MSGHTP8008 HTTP SERVER WILL FAIL TO START AF
   SI35928      HTTPSVR - IBM HTTP Server Updates
   SI35822      HTTPSVR - THREADS-WAIT PROXY SERVER HANGS
   SI35767      HTTPSVR - fix problems with plugins
   SI35278      HTTPSVR - IBM HTTP Server Updates
   SI35264      HTTPSVR - MSGTCP7351 API QTMHWRSTOUT SOMETIMES FAILS WITH TC
   SI35205      HTTPSVR - CGI job fails with MSGMCH3601
   SI35112      HTTPSVR-F/AIUPCALLPROGRAM-T/QZSRCGI-MSGMCH0802 CGI PROGRAMS
   SI34959      HTTPSVR-INCORROUT USING ERRORDOCUMENT DIRECTIVE.
   SI34959      HTTPSVR-INCORROUT DEFAULT ERROR PAGES IN A SPANISH SYSTEM.
   SI34834      HTTPSVR QP0ZPUTENVCCSID failed with errno 3021 for CGI
   SI34735      HTTPSVR - HTTP server NULL pointer error
   SI34191      HTTPSVR-INCORROUT BASIC AUTHENTICATION
   SI34191      HTTPSVR-INCORROUT ADDING CGI TRACES AND SSL MESSAGES
   SI34191      HTTPSVR- SSL Invalid Cipher suites _AES_ using TLSV1_SSLV3
   SI34191      HTTPSVR-INCORROUT NESTED SSI CAUSING GARBAGE IN QUERY_STRING
   SI34191      HTTPSVR-INCORROUT HTTP_COOKIE CONVERSION FAILS
   SI34191      HTTPSVR MSGMCH3601-ZSRV_MSG0372 MOD_REWRITE IN A DBCS SYSTEM
   SI34191      HTTPSVR-INCORROUT IN ACCESS_LOG
   SI32578      HTTPSVR-MSGMCH3601 ZSRV_MSG0372 IN MOD_REWRITE
   SI31900      HTTPSVR- ENABLE STARTUP FROM PLUGIN FOR WAS 7
   SI31900      HTTPSVR-F/QZSRAPR-T/QZSRCORE-RC4-MSGHTP8047 IN JOB QZSRCGI
   SI31900      HTTPSVR-INCORROUT NESTED EXEC SSI TAG IN CGI'S NOT WORKING
   SI31900      HTTPSVR INCORROUT REQUEST_URI ENVIRONMENT VARIABLE.
   SI31844      Integrity Problem
   SI31044      HTTPSVR-MSGHTP8016 STARTUP FAILS FOR WAS_AP20_MODULE
   SI30160      HTTPSVR - PROXY LOAD BALANCER 404 ERROR MESSAGE (IPv6)
   SI30160      HTTPSVR APACHE LOG DIRECTORY NOT SAVED IN A FULL SYSTEM SAVE
   SI30160      HTTPSVR - APACHE 2.2.6 MERGE CODE CHANGES
   SI30160      HTTPSVR-F/QZSRAPR-T/QZSRAPR-MSGMCH3601 HTTP THREADS END
   SI30160      HTTPSVR-UNPRED KERBEROS AUTHENTICATION FOR HTTP
   SI30160      HTTPSVR-INCORROUT APACHE APR UTILITIES
   SI30160      HTTPSVR-F/QZSRAPR-T/QZSRAPR-RC5-MSGHTP8047 LOGGING MESSAGES
   SI30160      HTTPSVR-INCORROUT IN DEFAULT ERROR PAGES IN A DBCS SYSTEM
   SI30160      HTTPSVR-F/QZSRAPR-T/QZSRCORE-MSGHTP8005 LOGFORMAT DIRECTIVE
   SI31220      HTTPSVR - REMOVE TOMCAT JAR FILES

Summary Information

System..............................................   i
Models..............................................  
Release.............................................   V6R1M0
Recompile...........................................   N
Library.............................................   QHTTPSVR
MRI Feature ........................................   NONE
Cum Level...........................................   C1102610

System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

i family

Software version:

V6R1M0

Operating system(s):

OS/400

Reference #:

SI40533

Modified date:

2014-09-15

Translate my page

Machine Translation

Content navigation