Product documentation
Abstract
IBM HTTP Server provides periodic fixes for release 6.0.2. The following is a complete listing of fixes for Version 6.0.2 with the most recent fix at the top.
Content
| Back to all versions |
Note: There were no service updates to IBM HTTP Server V6.0.2 between 6.0.2.3 and 6.0.2.7 or between 6.0.2.15 and 6.0.2.19.
| Fix release date: 27 September 2010 Last modified: 27 September 2010 Status: Recommended |
|
| APAR | Description |
| PM00138 | mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI |
| PM09819 | IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment |
| PM10270 | IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used |
| PM11586 | mod_ibm_ssl: Solaris shared library path environment variable may be corrupted during graceful restart with SSL loaded |
| PM17269 | When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level |
| PM18904 | mod_dav: Fix handling of the URI structure |
Note: IBM HTTP Server 6.0.2.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 19 April 2010 Last modified: 19 April 2010 Status: Superseded |
|
| APAR | Description |
| PM08939 | CVE-2010-0434: mod_headers / CVE-2010-0408 |
| PM09447 | CVE-2010-0425: mod_isapi vulnerability |
| PM07113 | Update GSKit to 7.0.4.28 |
| PK96500 | mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses |
| PK96790 | mod_deflate input filter not removing Content-Encoding |
| PK97344 | During IBM HTTP Server shutdown, child processes sometimes crash on Windows |
| PK97740 | IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period |
| PM03058 | Implement optional lingering close |
| PM03121 | mod_deflate doesn't compress internally redirected urls |
Note: IBM HTTP Server 6.0.2.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 14 December 2009 Last modified: 14 December 2009 Status: Superseded |
|
| APAR | Description |
| PK91361 | CVE-2009-1891 mod_deflate vulnerability |
| PK93225 | CVE-2009-2412 Apache Portable Runtime memory allocation functions can return invalid pointers |
| PK96858 | CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities |
| PM00675 | CVE-2009-3555: TLS/SSL protocol MITM vulnerability |
| PK89004 | Piped logger processes left stranded at restart |
| PK91197 | Startup crash on Windows when configured to use SSL and started as a service |
| PK93106 | Cannot configure IHS response to unknown revocation status via OCSP |
| PK93112 | Disable SSLv3 protocol when SSLFIPSEnable is configured |
| PK93510 | Piped errorlog loses initialization error message |
| PK95329 | CGI variables not available to mod_ext_filter scripts for non-CGI/SSI requests |
| PK96600 | Prevent runaway forking if the accept mutex is damaged |
Note: IBM HTTP Server 6.0.2.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix Pack 37 (6.0.2.37) | |
| Fix release date: 31 August 2009 Last modified: 31 August 2009 Status: Superseded |
|
| APAR | Description |
| PK88341 | CVE-2009-0023 : Underflow in apr_strmatch_precompile & CVE-2009-1956 : apr_brigade_vprintf off-by-one overflow vulnerability |
| PK88342 | CVE-2009-1955 : apr_xml_* interface vulnerability |
| PK79583 | mod_ldap retrys only once, without delay, when ldap_bind fails |
| PK84656 | Slow memory leak in rotatelogs |
| PK84899 | Failure and crash in IHS Administration Server during stop operation |
| PK86338 | mod_mem_cache slow memory leak |
| PK86513 | mod_ibm_ssl session ID cache daemon (SIDD) started twice in error at HTTP Server startup |
| PK87590 | %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive |
Note: IBM HTTP Server 6.0.2.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 01 June 2009 Last modified: 01 June 2009 Status: Superseded |
|
| APAR | Description |
| PK75671 | When an invalid Expect header is received, IBM HTTP Server does not respond until timeout value has occured. |
| PK75858 | The IBM HTTP Server parent process crashes while restarting piped logger if all file descriptors are exhausted. |
| PK76105 | The directive 'CoreDumpDirectory' used to specify the location for locating core dumps was ignored for parent process crashes. |
| PK76363 | Improve mod_mpmstats logging in IHS 6.X to display hanging modules in post_read_request hook. |
| PK77458 | Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server. |
| PK77969 | New log messages to explain the HTTP 403 error when PATH_MAX is exceeded. |
| PK78007 | When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged. |
| PK78073 | Can't configure mod_charset_lite to translate only mod_autoindex output. |
| PK78128 | Set-Cookie and Set-Cookie2 headers not preserved on 304 responses. |
| PK78333 | Translate 100-Continue responses to ASCII. |
| PK81016 | mod_proxy_ftp cannot serve files with wildcards in their names. |
Note: IBM HTTP Server 6.0.2.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 13 February 2009 Last modified: 13 February 2009 Status: Superseded |
|
| APAR | Description |
| PK70197 | CVE-2008-2939 mod_proxy_ftp unescaped wildcard |
| PK68392 | If a piped logger such as rotatelogs fails, a handle is leaked. On Windows, IBM HTTP Server is unable to restart the piped logger. |
| PK68688 | mod_proxy_connect may timeout when it processes incoming SSL requests where the SSL record length is between 8 and 16 kilobytes. |
| PK69212 | 'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer |
| PK70028 | mod_cgid tokenizing ISINDEX queries incorrectly resulting in NULL command line arguments not being passed to CGI scripts |
| PK74791 | SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake |
Note: IBM HTTP Server 6.0.2.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 20 October 2008 Last modified: 20 October 2008 Status: Superseded |
|
| APAR | Description |
| PK67579 | CVE-2008-2364 HTTP proxy potential denial of service when proxying to untrusted servers |
| PK66154 | mod_cgid socket permissions problem & sidd socket permissions problem |
| PK66755 | IBM HTTP Server mod_rewrite RewriteMap directive can result in high CPU usage when thousands of strings are passed as keys |
| PK66924 | IBM HTTP Server does not correctly handle orphaned rotatelogs processes for the Windows operating system |
| PK67658 | Recursive error document problem |
| PK68182 | postinst returns an error when conf files are not present during service pack install |
Note: IBM HTTP Server 6.0.2.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 18 July 2008 Last modified: 18 July 2008 Status: Superseded |
|
| APAR | Description |
| PK61452 | Server Side Includes under mod_include are unreliable with output filters |
| PK61608 | HTTP client certificate revocation status performance enhancement |
| PK62242 | Incorrect error handling in IBM HTTP Server when SIDD is not found under server root |
| PK64089 | Access log displays incorrect timezone offset |
| PK64092 | SSL0409I is sometimes logged when an SSL client disconnects |
Note: IBM HTTP Server 6.0.2.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 14 April 2008 Last modified: 14 April 2008 Status: Superseded |
|
| APAR | Description |
| PK57549 | Upgrade GSKit to 7.0.4.14 |
| PK57680 | High CPU loop in mod_ibm_ssl when poll returns unexpected events |
| PK57952 | Input method not escaped in default 413 error response |
| PK58024 | CVE-2007-5000 mod_imap cross-site scripting vulnerability |
| PK58184 | rotatelogs ignores -l option when rotating files based on size |
| PK58884 | IBM HTTP Server compression; AddOutputFilterByType directive did not apply to proxy requests |
| PK59667 | CVE-2007-6388 mod_status cross-site scripting vulnerability |
Note: IBM HTTP Server 6.0.2.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 21 January 2008 Last modified: 21 January 2008 Status: Superseded |
|
| APAR | Description |
| PK48505 | mod_deflate should not process metadata buckets as data |
| PK52726 | Allow Certificate Revocation List support to be used on HP-UX |
Note: IBM HTTP Server 6.0.2.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.
| Fix release date: 12 October 2007 Last modified: 12 October 2007 Status: Superseded |
|
| APAR | Description |
| PK50467 | CVE-2007-3304 MPM signalling vulnerability |
| PK48412 | IBM HTTP SERVER logs bad date when certificate has expired |
| PK50469 | CVE-2007-3847 proxy buffer over-read vulnerability |
| PK50460 | mod_deflate does not work with vary headers |
| PK49295 | CVE-2006-5752 mod_status cross-site scripting vulnerability |
| CVE-2007-1863 mod_cache crash with malicious request | |
| PK48606 | IBM HTTP Server shared object fails to load at run-time on RHEL 5 |
Note: IBM HTTP Server 6.0.2.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.
| Fix release date: 20 July 2007 Last modified: 20 July 2007 Status: Superseded |
|
| APAR | Description |
| PK35968 | updateinstaller does not check the current IBM® HTTP Server level before allowing the install to take place |
| PK42913 | updating IBM HTTP Server does not update the IHS.product file correctly |
| PK45328 | Single DES is no longer an approved FIPS-140 security function |
| PK45277 | Segmentation fault occurs when pidfile does not exist on web server start |
| PK45296 | mod_ibm_ldap possible crash from uninitialized memory |
| PK44274 | ProxyErrorOverride should not affect redirects |
| PK37809 | Empty response was sent for cached static files after revalidation timeout |
| Fix release date: 27 April 2007 Last modified: 27 April 2007 Status: Superseded |
|
| APAR | Description |
| PK39018 | Restart SIDD if it crashes or exits unexpectedly |
| PK38839 | Allow coredumps and other serviceability data for SIGFPE |
| PK34981 | The IBM HTTP Server administrative console incorrectly reports the stop/start status of the IBM HTTP Server |
| PK35675 | mod_mem_cache crashes when used with client certificate authentication |
| PK34180 | Fix incorrect 304 responses for objects which have expired from the cache |
| PK31460 | Fix handling of non-200 success status codes when "ProxyErrorOverride On" is configured. |
| PK30837 | mod_ibm_ldap problems when enabled in .htaccess files |
| PK37731 | no client certificate prompt when multiple SSL vhosts configured |
| PK33253 | SSL virtualhosts unable to perform SSLV3 handshake when keyfile directive has been specified with an invalid parameter |
| Fix release date: 2 October 2006 Last modified: 2 October 2006 Status: Superseded |
|
| APAR | Description |
| PK28348 | There is a bug in the handling of cgid directives inside virtualhosts when using ScriptStock directive. |
| PK28359 | Message "SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file" occurs using n-cipher card. |
| PK29154 | CVE-2006-3747 mod_rewrite error |
| Fix release date: 14 August 2006 Last modified: 14 August 2006 Status: Superseded |
|
| APAR | Description |
| PK21998 | PROVIDE DIRECTIVE FOR DISABLING INDIVIDUAL SSL PROTOCOL |
| PK24631 | CVE-2006-3918 HTTP EXPECT HEADER VALUE CAN BE ECHOED TO BROWSER UNESCAPED |
| PK24686 | CGI ON UNIX AND LINUX CANNOT SEE PATH TO SCRIPT IN ARG0 |
| PK22995 | EXCESSIVE CHILD PROCESS CREATION DURING STARTUP. |
| PK25428 | 6.0.X IBM HTTP Server ADMINISTRATION SERVER PERIODICALLY SEGFAULTS WITH __READ_NOCANCEL IN /LIB/TLS/LIBPTHREAD.SO.0. |
| mod_cache: Fix inconsistent results from requests which are implemented as subrequests. | |
| Correct a problem with ikeyman.bat on Windows 2000 |
| Fix release date: 19 June 2006 Last modified: 19 June 2006 Status: Superseded |
|
| APAR | Description |
| PK20167 | INSTALLATION OF REFRESH PACK 2 FOR IBM HTTP SERVER VERSION 6.0.2 IS PARTIAL DUE TO USING THE WRONG BASEDIR FOR INSTALLING GSKIT. |
| PK22485 | IBM HTTP Server MEMORY LEAK IF FILES BEING SERVED ARE TRUNCATED |
| PK23962 | IKEYMAN.BAT ON MICROSOFT® WINDOWS FAILS WITH GSKIT 7.0.3.20 |
| htdbm crash with -d option on HP-UX/ia64 | |
| allow diagnostic modules to track activity in log-transaction hook |
| Fix release date: 14 April 2006 Last modified: 14 April 2006 Status: Superseded |
|
| APAR | Description |
| PK20184 | crashes related to mod_ibm_ssl and mod_ext_filter |
| PK20050 | HTTP status line problem with WebSphere plug-in and byterange filter |
| PK17802 | mod_speling crash with WebSphere request |
| PK13784 | GSKit upgrade to 7.0.3.20 (except for HP-UX/PA-RISC) |
| PK17867 | provide mod_ibm_ldap LDAPCodePageDir directive |
| PK19060 | mod_ibm_ldap doesn't retry request when server timed out connection |
| PK18642 | mod_ibm_ldap memory leak |
| PK19865 | ikeyman won't start on AIX due to JAVA_HOME setting |
| mod_ibm_ssl now removes null ciphers from default list of supported ciphers | |
| Apache.exe -V on Windows and apachectl -V on other platforms now displays CVE ids of applicable Apache vulnerabilities resolved in this level of IBM HTTP Server |
| Fix release date: 13 February 2006 Last modified: 13 February 2006 Status: Superseded |
|
| APAR | Description |
| PK13453 | CLIENT CERTIFICATE IS REQUESTED AND NOT PROVIDED, GSKIT ON THE SUBSEQUENT CONNECTION FINDS AND DELETES THE ORIGINAL SESSION ID. |
| PK13858 | IBM HTTP SERVER CONTENT-LENGTH HEADER REMOVED FROM PROXIED REQUESTS |
| PK15553 | MOD_INCLUDE PARSER OMITS PARTS OF OUTPUT STREAM |
| Prevent hosts with SSLProxyEngine On from covering up failed initialization of primary SSL environment. | |
| Enable TLS protocol in the GSKit proxy environment to allow for connections to backends using FIPS ciphers. | |
| PK15926 | MOD_IBM_LDAP CONFLICT WITH OPENLDAP WHEN /ETC/NSSWITCH.CONF USES LDAP FOR GROUP LOOKUPS |
| PK16390 | IBM HTTP Server 6.0 MAINTENANCE INSTALLATION DISK SPACE REQUIREMENTS ARE LARGER THEN NEEDED |
| Fix release date: 28 October 2005 Last modified: 28 October 2005 Status: Superseded |
|
| APAR | Description |
| CAN-2005-2970 worker MPM memory leak after aborted connection (non-Windows platforms) | |
| Prevent double-free of GSKit memory during stop or restart which sometimes caused a coredump (non-Windows platforms) | |
| Prevent double-free when an error occurred reading data from sidd. (non-Windows platforms only) | |
| PK11929 | CAN-2005-2491 Fix integer overflow in PCRE which leads to a heap-based buffer overflow. CAN-2005-2728 Fix byte-range filter which allowed remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. |
| Handle strerror() returning NULL on Solaris, resolving possible crashes when writing to the error log. | |
| Handle SSL requests where FIN is received from the client on Keepalive connections before the response is written. | |
| sidd now reports specific error code and filename when its trace or error log can't be opened. | |
| Fixed swapped references to ciphers 62 and 64. his resulted in SSLCipher* directives operating on the wrong cipher (i.e. using 64 if 62 had been specified). | |
| Fix SSL handling of Timeout values larger than 2000 seconds, resolving SSL handshake failures | |
| PK09327 | IIBM HTTP Server ADMINISTRATION RUNNING ON 64 BIT FAILS TO PROPAGATE THE FILES FROM WEBSPHERE APPLICATION SERVER TO IBM HTTP Server. |
| PK08359 | IBM HTTP Server 6.0 ADMINISTRATION SERVICE CANNOT START AS NON-ROOT, NOR CAN RUN MULTIPLE CONCURRENT INSTANCES ON SAME MACHINE. |
| PK10954 | IBM HTTP Server WILL NOT START LOADING THE LDAP MODULE ON (RH4,PPC64) |
| Fix release date: 02 September 2005 Last modified: 02 September 2005 Status: Superseded |
|
| APAR | Description |
| PK07831 | INCOMPATIBILITY BETWEEN IBM HTTP SERVER AND CERTAIN GSKIT LEVELS |
| PK07747 | IBM HTTP Server VIRTUAL HOST NO LONGER WORKS AFTER INSTALLATION OF MICROSOFT SECURITY PATCH MS05-019 |
| CAN-2005-2088 preventative measures to prevent HTTP request smuggling, from Apache 2.1.6 and future Apache 2.0.55 | |
| mod_ibm_ssl: include client IP address on many messages | |
| mod_ibm_ssl: improve reporting of many SSL communication errors | |
| IBM HTTP Server 2.0.X EXITS DUE TO TRANSIENT THREAD CREATION ERRORS. UNIX ONLY | |
| PK05830 | IBM HTTP Server 2.0 AND HIGHER ON ALL UNIX PLATFORMS CAN HANG WHEN WRITING LOG RECS TO A PIPED LOGGER, ROTATELOGS, DURING GRACEFUL RESTART. |
| PK05957 | SHIFT_JIS IS DISPLAYED IN ERROR RESPONSE CAUSING BAD CHARACTERS. |
| Set REDIRECT_REMOTE_USER for redirection of authenticated requests | |
| worker mpm: lower severity of mutex "error" message which can occur normally during restart | |
| display time taken to process request in mod_status | |
| mod_proxy: Handle client-aborted connections correctly | |
| mod_mime_magic on Windows: support magic files with native line endings | |
| support SHA1 passwords for mod_auth and mod_auth_dbm | |
| support SendBufferSize on Windows operating systems | |
| start piped loggers via the shell on UNIX platforms, to support redirection | |
| mod_cgid: Fix buffer overflow processing ScriptSock directive | |
| mod_ibm_ldap: put timestamp on ldap trace records for correlation with other logs | |
| mod_ibm_ldap: return authorization error instead of internal server error when password has expired | |
| mod_ibm_ldap: add configuration control over whether or not referrals are chased via "LdapReferrals [On|Off]" and "LdapReferralHopLimit nnn" | |
| mod_ibm_ldap: add rebind support for improved compatibility with Microsoft Active Directory 2003 |
| Fix release date: 11 July 2005 Last modified: 11 July 2005 Status: Recommended |
|
| APAR | Description |
| Fix storage corruption problem with mod_userdir+suexec processing | |
| Fix memory leak in the cache handling of mod_rewrite | |
| Fix problem with default service name on Windows with 6.0.1. | |
| Service name is 6.0 for life of 6.0.x release. | |
| IBM HTTP SERVER HIGH CPU USAGE DUE TO INEFFICIENT READING OF REWRITEMAP FILES. | |
| dbmmanage: Select the database format which is accepted by IBM HTTP Server | |
| Set RH variable to indicate which module handled or failed the request | |
| Fix a servlet timeout when a POST response page contains SSI tags | |
| fix mod_fastcgi incompatibility with WebSphere plug-in | |
| rename zlib symbols used by mod_deflate to avoid collision with third-party modules | |
| fix ownership of sidd socket if IBM HTTP Server started as non-root on HP-UX platforms | |
| PK00175 | CORRUPTION OF LIBPATH ENVIRONMENT VARIABLE BY MOD_IBM_SSL PREVENTS SITEMINDER FROM STARTING EXTERNAL LLAWP PROCESS. |
| add "/server-status?showmodule" support for displaying name of | |
| module where request is stuck; ihsdiag 1.4.0 also exploits this support | |
| PQ86346 | Segmentation Fault IBM HTTP Server w/ nss_ldap |
Related information
Fixes by version for IBM HTTP Server
Recommended fixes for IBM HTTP Server
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Application Servers | WebSphere Application Server | IBM HTTP Server | AIX, HP-UX, Linux, Solaris, Windows |
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.