Skip to main content


PK63273: ADDRESS PROBLEMS IN IBM HTTP SERVER 1.3.28 RESOLVED AFTER PK55141.

A fix is available

PK63273; 1.3.28.1: IBM HTTP Server 1.3.28 Cumulative Interim Fix

 

APAR status

  • Closed as program error.

Error description

  • Address CVE-2007-6388 and CVE-2007-5000 for IBM HTTP Server
1.3.28.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: IBM HTTP SERVER 1.3.28.1 users               *
****************************************************************
* PROBLEM DESCRIPTION: Correct CVE-2007-5000 and CVE-2007-6388 *
****************************************************************
* RECOMMENDATION: This cumulative fix is recommended for all   *
* IBM HTTP Server 1.3.28.1 installations.                      *
****************************************************************
Address two security issues corrected after the previous
cumulative fix for this release, PK55141.
- PK58024 CVE-2007-5000 mod_imap cross-site scripting error with
server side image maps
- PK59667 CVE-2007-6388 mod_status cross-site scripting
vulnerability
.
Changes with previous cumulative fixes, included here:
.
- PK49295 CVE-2006-5752 mod_status cross-site scripting
vulnerability
- PK50467 CVE-2007-3304 MPM signalling vulnerability.
- PK50469 CVE-2007-3847 proxy buffer over-read vulnerability
- PK44754 mod_ibm_ssl incompatibility with GSKit 7.0.3.25 and
higher
- PK19060 Retry connection to LDAP server immediately
after connection drop
- PK24631 CVE-2006-3918 Escape value of Expect header in error
response to invalid Expect
- PK28587 LDAP cache expiration time was not always honored
- CMVC 84947 Fix crash in mod_ibm_ssl when using client
certificate authentication
- PK29157 CVE-2006-3747 mod_rewrite defect which could cause
crashes on HP-UX and Windows
- PK13959 CVE-2005-2088 HTTP proxy vulnerability
- CVE-2005-3352 mod_imap cross-site scripting
vulnerability
- resolve Linux/x86 startup failures when
/etc/nsswitch.conf specifies LDAP for name resolution,
caused by dropped library support in RedHat Advanced
Server 3.0 Update 4 and SLES 9
- mod_ibm_ldap: When user id is locked, return 401
instead of 503 and record the problem in error log
- mod_ibm_ldap: Provide LdapReferralHopLimit directive
to control how many referrals are allowed
- mod_ibm_ldap: improve tracing
- allow mod_net_trace to trace writev error
- mod_ibm_ssl on Linux and Unix: resolve double-free
error when interfacing with sidd
- PK07747: IHS VIRTUAL HOST NO LONGER WORKS AFTER
INSTALLATION OF MICROSOFT SECURITY PATCH MS05-019
- PK05084 CAN-2004-0940 mod_include possible buffer
overflow
- Unix: Log errno string for sidd connect failures
- Track active plug-in module when ExtendedStatus in On
"/server-status/?showmodule" can display it.
- Linux for pSeries and zSeries: Remove dependency on
external expat library
- CAN-2003-0020 Strip control characters before logging
to ErrorLog
- PK03424 Windows: Fix mod_rewrite RewriteLog
reliability problem on Windows
- CAN-2003-0987 mod_digest nonce exposure
- SSL in FIPS mode: Don't allow SSLv2 ciphers
- Windows include files reference missing file
- mod_log_config sometimes logged "0" instead of "-" for %b
format
- AIX: enable full core dump automatically for httpd
crashes
- Fix child process crash in ap_bhalfduplex().
- PQ89899 CAN-2004-0492 crash in mod_proxy
- PQ90262 Misuse of gsk_secure_sock_close causes child
process crash
- PQ90562 mod_ibm_ssl storage leak across restart
- mod_snmp limit on virtual hosts was raised to 1500
- PQ92124 HTTP POSTs fail or hang when Afpa is enabled; When
Afpa is enabled on Windows, HTTP POST requests may
occasionally appear to hang and eventually time out with an
error.
- PQ98444 Mod_ibm_ldap fails to UTF-8 encode the filter
string

    



Problem conclusion


    

  • See APARs for individual fixes.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK63273
    • 

  • Reported component name
    IBM HTTP SVR NT
    • 

  • Reported component ID
    5648B7802
    • 

  • Reported release
    328
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-03-25
    • 

  • Closed date
    2008-04-10
    • 

  • Last modified date
    2008-04-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SVR NT
    • 

  • Fixed component ID
    5648B7802
    • 



Applicable component levels


    

  • R328  PSN
       UP
    • 








		


		
Copyright and trademark information

		

			
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

		

		


		

		
Rate this page

		

			
Please take a moment to complete this form to help us better serve you.

		

		
		

		
		
		
		
		
		
		

		

			
This material provides me with the information I need.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		
		

		

			
This material is clear and easy to understand.

		

		

		

			 

			 

			 

			 

			 

		

		

		

  		

		

		

			
Did the information help you to achieve your goal?

		

		

		

			
			
			
		

		

		


		

		

			
What updates, improvements, or related information would you like to see in this document?

		

		

			

		

		


		

			
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

		

		

			
Input the verification number to submit feedback:

		

		

			


		

		

		

			

		

		

		


		

		
		





Close [x]









   



Maintenance Window
 








     

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.
    • 






   
















Close [x]









   



Unscheduled Maintenance Window









There is no unscheduled maintenance scheduled at this time.





   










		

			


			

				





		

		
		


		
Document information

		

			
Product categories:

		
		
Software
Application Servers
Distributed Application & Web Servers
IBM HTTP Server
Runtime

		
		

		
			
Software version:

			
328

			

		

		

		
			
Reference #:

			

		PK63273
			

			

		

			
IBM Group:

			
Software Group

			

			
Modified date:

			
2008-04-10

		

		


		
Translate my page

		

			

			

			
			

			
			
			
			

		

		


		
Rate this page

		

			
		

		


		

		
			
Availability Notices