IBM Support

SI57763 - HTTPSVR - Patch Apache Vulnerability CVE-2015-3183

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

HTTPSVR - Patch Apache Vulnerability CVE-2015-3183


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
CO   5770DG1  710  SI47662   NONE     0000
CO   5770DG1  710  SI47663   NONE     0000
CO   5770DG1  710  SI47664   NONE     0000
CO   5770DG1  710  SI42003   NONE     0000
CO   5770DG1  710  SI44746   NONE     0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.


APAR Error Description / Circumvention

-------------------------------------------------
Update IBM HTTP Server for i to comply with security
vulnerability CVE-2015-3183 to maintain PCI compliance.

CORRECTION FOR APAR 'SE62675' :
-------------------------------
Security vulnerability CVE-2015-3183 has been updated to IBM
HTTP Server for i.

CIRCUMVENTION FOR APAR 'SE62675' :
----------------------------------
None.


Activation Instructions


None.




Special Instructions


This PTF will be activated for a HTTP server when that server instance
is ended and started, or at the next IPL.  If an HTTP server is already
active at the time this PTF is applied, the HTTP server must be ended
and started in order to activate this PTF for that HTTP server
instance.

Do the following to activate this PTF for all HTTP server
instances.

1. ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ALL)
2. Start the HTTP server(s) using:
STRTCPSVR SERVER(*HTTP) HTTPSVR(<server name>)


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI56565      HTTPSVR - HTTP Server for i updates
   SI55746      HTTPSVR - Add IASP support to StartCGI directive
   SI55746      HTTPSVR - Patch Apache Vulnerability CVE-2013-5704
   SI55746      HTTPSVR - Add CCSID 1377 support
   SI54022      HTTPSVR - Patch Apache Vulnerability CVE-2014-0118
   SI54022      HTTPSVR - HTTP Server for i update
   SI53684      HTTPSVR - HTTP Server for i update
   SI53684      HTTPSVR - HTTP Server update for WebDav
   SI53567      HTTPSVR - HTTP Server for i update
   SI52916      HTTPSVR -  Security Patch for CVE-2014-0098
   SI52602      HTTPSVR - HTTP Server for i export symbols updates
   SI52602      HTTPSVR - HTTP Server for i 2.4 support
   SI50999      HTTPSVR-INCORROUT WHEN PROVIDED A FILE WITH MULTIPLE LINES O
   SI50824      Integrity Problem
   SI50824      OSP-MSGCCSID1166INAPACHE-PAR-940XMISC HTP8206 - APACHE INSTA
   SI50403      Integrity Problem
   SI50087      HTTPSVR - HTTP Server for i update
   SI49746      HTTPSVR-THREADS-INCORROUT QTMHCVTDB DOESN'T CONVERT SOME DBC
   SI49746      F/DG1VULNERABILITIES-MSGAUDITREPORT CVE 2012-3499 / CVE 2012
   SI49469      HTTPSVR-INCORROUT SCRIPT REDIRECTION DOES NOT RETURN CORRECT
   SI49469      HTTPSVR-INCORROUT LARGE PDF FAILS TO DISPLAY OR PARTIALLY DI
   SI47649      HTTPSVR - Large file (> 2GB) support
   SI47606      HTTPSVR-INCORROUT-RWS SOME SIMPLIFIED CHINESE CHARACTERS ARE
   SI47606      HTTPSVR - Patch Apache Vulnerabilitys CVE-2012-2687
   SI47606      HTTPSVR - Fix CGI job is not reusable in IASP
   SI47606      HTTPSVR - HTTP Server for i updates
   SI47606      OSP-MSGHTTPERROR401-PAR-940XMISC INCORRECT REQUEST BODY HAND
   SI47097      HTTPSVR - Fix StartCGI directive issue
   SI46870      HTTPSVR - Add Group Profile Access List Support
   SI46590      HTTPSVR-PERFM LARGE BUFFER SIZE CAUSED CUSTOMER'S COMMUNICAT
   SI46468      HTTPSVR - Follow up fix for CVE-2011-4317
   SI46361      HTTPSVR-INCORROUT HTTP CHARSET RESPONSE HEADER NOT BEING SEN
   SI45900      Integrity Problem
   SI45900      HTTPSVR - Enable expired user profile kerberos authenticatio
   SI45532      HTTPSVR - Add ForensicLog Maintenance Support
   SI45532      HTTPSVR - HTTP Server for i updates
   SI45438      Integrity Problem
   SI45215      HTTPSVR - HTTP logger updates
   SI44812      HTTPSVR - Patch Apache Vulnerability CVE-2011-3368
   SI44812      HTTPSVR - WebSphere Application Server plugin auto update
   SI44630      HTTPSVR - Patch Apache Vulnerability CVE-2011-3192
   SI43977      HTTPSVR - HTTP Server for i updates
   SI43799      HTTPSVR - Fix HTTP server startup parameter -D/-M not work
   SI43799      HTTPSVR-MSGZSRV_MSG0574 HTTP APACHE SERVER FAILS ZSRV_MSG057
   SI43722      HTTPSVR - Patch Apache Vulnerability CVE-2011-0419 and CVE-2
   SI43402      HTTPSVR - Fix LDAP login user id truncated problem
   SI43402      HTTPSVR-F/AIUPCALLFUNCTION-T/QZSRAPR-MSGMCH4417 STRTCPSVR *H
   SI43223      HTTPSVR-THREADS-PERFM CGI APPLICATION TAKES LONGER THAN EXPE
   SI43223      HTTPSVR-INCORROUT HTTP APACHE NOT PROCESSING TYPE-MAP FILES
   SI42439      HTTPSVR-THREADS-PERFM APACHE SERVER TAKES A LONG TIME FOR TH
   SI42439      HTTPSVR-UNPRED CHANGE HTTP APACH TO SUPPORT TICKET AUTHENTIC
   SI42439      HTTPSVR-THREADS-INCORROUT QZHBCGIPARSE WITHIN SERVER SIDE IN
   SI42439      HTTPSVR - Fix SSI fails to run in Location container
   SI41367      HTTPSVR - Patch Apache Vulnerability CVE-2010-1623
   SI41367      HTTPSVR-F/APR_POOLS-T/APR_POOLS-MSGMCH3601 QP0ZPUTENVCCSID F
   SI41058      HTTPSVR GARBAGE IN ACCESS LOG FOR HOST NAME
   SI40534      HTTPSVR - Patch Apache Vulnerability CVE-2010-2068
   SI40534      HTTPSVR-UNPRED HTTP VULNERABILITY CVE-2010-1452
   SI40135      HTTPSVR - Update Input Translation Filter
   SI39660      HTTPSVR - MSGMCH1207 HTTP SERVER ISSUING MCH1207
   SI38640      HTTPSVR - ERRORS LOGGED IN ACCESS LOG
   SI38640      HTTPSVR - F/MOD_CGI MCH6902 MCH0601
   SI38640      HTTPSVR - Trace Logging Update
   SI38640      HTTPSVR - Patch Apache Vulnerability CVE 2010 0434
   SI38640      HTTPSVR - Misc Changes
   SI37902      HTTPSVR - Update IBM HTTP Server Directives
   SI37867      Integrity Problem
   SI37867      HTTPSVR - Diagnostic CPF22E7 Error Message
   SI36897      HTTPSVR - INCORROUT WITHIN APACHE EXTENDED LOG, SYSTEM IDENT
   SI36656      HTTPSVR-THREADS-MSGHTP8008 HTTP SERVER WILL FAIL TO START AF
   SI36656      HTTPSVR - Patch Apache Vulnerability CVE 2008 2364
   SI36656      HTTPSVR-F/QZSRAPR-T/QZSRCORE-MSGHTP8005 LOGFORMAT DIRECTIVE

Summary Information

System.............................. i
Models..............................
Release............................. V7R1M0
Licensed Program............... 5770DG1
APAR Fixed.......................... SE62675
Superseded by:...................... View fix details for PTF SI66472
Recompile........................... N
Library............................. QHTTPSVR
MRI Feature ........................ NONE
Cum Level........................... NONE


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R1M0

Operating system(s): OS/400

Reference #: SI57763

Modified date: 02 September 2015