Fix list for IBM HTTP Server Version 6.0.2

Product documentation


Abstract

IBM HTTP Server provides periodic fixes for release 6.0.2. The following is a complete listing of fixes for Version 6.0.2 with the most recent fix at the top.

Content

Back to all versions

Latest cumulative iFix
Fix Pack 43 (6.0.2.43)
Fix Pack 41 (6.0.2.41)
Fix Pack 39 (6.0.2.39)
Fix Pack 37 (6.0.2.37)
Fix Pack 35 (6.0.2.35)
Fix Pack 33 (6.0.2.33)
Fix Pack 31 (6.0.2.31)
Fix Pack 29 (6.0.2.29)
Fix Pack 27 (6.0.2.27)
Fix Pack 25 (6.0.2.25)
Fix Pack 23 (6.0.2.23)
Fix Pack 21 (6.0.2.21)
Fix Pack 19 (6.0.2.19)
Fix Pack 15 (6.0.2.15)
Fix Pack 13 (6.0.2.13)
Fix Pack 11 (6.0.2.11)
Fix Pack 9 (6.0.2.9)
Fix Pack 7 (6.0.2.7)
Fix Pack 3 (6.0.2.3)
Fix Pack 1 (6.0.2.1)
Refresh Pack 2 (6.0.2)

Note: There were no service updates to IBM HTTP Server V6.0.2 between 6.0.2.3 and 6.0.2.7 or between 6.0.2.15 and 6.0.2.19.



Latest cumulative iFix
Fix release date: 07 May 2013
Last modified: 07 May 2013
Status: Recommended
The latest cumulative iFix was created for APAR PM87808, and contains all applicable security fixes in Apache HTTP Server versions up through 2.0.65.

Since IBM HTTP Server 6.0 has reached end-of-service, you must contact IBM support to obtain this iFix.
It can only be installed over the latest 6.0.2.43 fixpack level.

Note: 2.0.65 was the final version that will be released for the 2.0 Apache code branch. The Apache HTTP Server Project has ended legacy development of the 2.0 legacy branch. No further releases will occur from apache.org for the 2.0 version family.




Fix Pack 43 (6.0.2.43)
Fix release date: 27 September 2010
Last modified: 27 September 2010
Status: Recommended

Download information

APAR Description
PM00138 mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI
PM09819 IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment
PM10270 IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used
PM11586 mod_ibm_ssl: Solaris shared library path environment variable may be corrupted during graceful restart with SSL loaded
PM17269 When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level
PM18904 mod_dav: Fix handling of the URI structure


Note: IBM HTTP Server 6.0.2.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 41 (6.0.2.41)
Fix release date: 19 April 2010
Last modified: 19 April 2010
Status: Superseded

Download information

APAR Description
PM08939 CVE-2010-0434: mod_headers / CVE-2010-0408
PM09447 CVE-2010-0425: mod_isapi vulnerability
PM07113 Update GSKit to 7.0.4.28
PK96500 mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses
PK96790 mod_deflate input filter not removing Content-Encoding
PK97344 During IBM HTTP Server shutdown, child processes sometimes crash on Windows
PK97740 IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period
PM03058 Implement optional lingering close
PM03121 mod_deflate doesn't compress internally redirected urls


Note: IBM HTTP Server 6.0.2.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 39 (6.0.2.39)
Fix release date: 14 December 2009
Last modified: 14 December 2009
Status: Superseded

Download information

APAR Description
PK91361 CVE-2009-1891 mod_deflate vulnerability
PK93225 CVE-2009-2412 Apache Portable Runtime memory allocation functions can return invalid pointers
PK96858 CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities
PM00675 CVE-2009-3555: TLS/SSL protocol MITM vulnerability
PK89004 Piped logger processes left stranded at restart
PK91197 Startup crash on Windows when configured to use SSL and started as a service
PK93106 Cannot configure IHS response to unknown revocation status via OCSP
PK93112 Disable SSLv3 protocol when SSLFIPSEnable is configured
PK93510 Piped errorlog loses initialization error message
PK95329 CGI variables not available to mod_ext_filter scripts for non-CGI/SSI requests
PK96600 Prevent runaway forking if the accept mutex is damaged


Note: IBM HTTP Server 6.0.2.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 37 (6.0.2.37)
Fix release date: 31 August 2009
Last modified: 31 August 2009
Status: Superseded

Download information

APAR Description
PK88341 CVE-2009-0023 : Underflow in apr_strmatch_precompile &
CVE-2009-1956 : apr_brigade_vprintf off-by-one overflow vulnerability
PK88342 CVE-2009-1955 : apr_xml_* interface vulnerability
PK79583 mod_ldap retrys only once, without delay, when ldap_bind fails
PK84656 Slow memory leak in rotatelogs
PK84899 Failure and crash in IHS Administration Server during stop operation
PK86338 mod_mem_cache slow memory leak
PK86513 mod_ibm_ssl session ID cache daemon (SIDD) started twice in error at HTTP Server startup
PK87590 %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive


Note: IBM HTTP Server 6.0.2.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 35 (6.0.2.35)
Fix release date: 01 June 2009
Last modified: 01 June 2009
Status: Superseded

Download information

APAR Description
PK75671 When an invalid Expect header is received, IBM HTTP Server does not respond until timeout value has occured.
PK75858 The IBM HTTP Server parent process crashes while restarting piped logger if all file descriptors are exhausted.
PK76105 The directive 'CoreDumpDirectory' used to specify the location for locating core dumps was ignored for parent process crashes.
PK76363 Improve mod_mpmstats logging in IHS 6.X to display hanging modules in post_read_request hook.
PK77458 Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server.
PK77969 New log messages to explain the HTTP 403 error when PATH_MAX is exceeded.
PK78007 When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged.
PK78073 Can't configure mod_charset_lite to translate only mod_autoindex output.
PK78128 Set-Cookie and Set-Cookie2 headers not preserved on 304 responses.
PK78333 Translate 100-Continue responses to ASCII.
PK81016 mod_proxy_ftp cannot serve files with wildcards in their names.


Note: IBM HTTP Server 6.0.2.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 33 (6.0.2.33)
Fix release date: 13 February 2009
Last modified: 13 February 2009
Status: Superseded

Download information

APAR Description
PK70197 CVE-2008-2939 mod_proxy_ftp unescaped wildcard
PK68392 If a piped logger such as rotatelogs fails, a handle is leaked. On Windows, IBM HTTP Server is unable to restart the piped logger.
PK68688 mod_proxy_connect may timeout when it processes incoming SSL requests where the SSL record length is between 8 and 16 kilobytes.
PK69212 'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer
PK70028 mod_cgid tokenizing ISINDEX queries incorrectly resulting in NULL command line arguments not being passed to CGI scripts
PK74791 SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake


Note: IBM HTTP Server 6.0.2.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 31 (6.0.2.31)
Fix release date: 20 October 2008
Last modified: 20 October 2008
Status: Superseded

Download information

APAR Description
PK67579 CVE-2008-2364 HTTP proxy potential denial of service when proxying to untrusted servers
PK66154 mod_cgid socket permissions problem & sidd socket permissions problem
PK66755 IBM HTTP Server mod_rewrite RewriteMap directive can result in high CPU usage when thousands of strings are passed as keys
PK66924 IBM HTTP Server does not correctly handle orphaned rotatelogs processes for the Windows operating system
PK67658 Recursive error document problem
PK68182 postinst returns an error when conf files are not present during service pack install


Note: IBM HTTP Server 6.0.2.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 29 (6.0.2.29)
Fix release date: 18 July 2008
Last modified: 18 July 2008
Status: Superseded

Download information

APAR Description
PK61452 Server Side Includes under mod_include are unreliable with output filters
PK61608 HTTP client certificate revocation status performance enhancement
PK62242 Incorrect error handling in IBM HTTP Server when SIDD is not found under server root
PK64089 Access log displays incorrect timezone offset
PK64092 SSL0409I is sometimes logged when an SSL client disconnects


Note: IBM HTTP Server 6.0.2.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 27 (6.0.2.27)
Fix release date: 14 April 2008
Last modified: 14 April 2008
Status: Superseded

Download information

APAR Description
PK57549 Upgrade GSKit to 7.0.4.14
PK57680 High CPU loop in mod_ibm_ssl when poll returns unexpected events
PK57952 Input method not escaped in default 413 error response
PK58024 CVE-2007-5000 mod_imap cross-site scripting vulnerability
PK58184 rotatelogs ignores -l option when rotating files based on size
PK58884 IBM HTTP Server compression; AddOutputFilterByType directive did not apply to proxy requests
PK59667 CVE-2007-6388 mod_status cross-site scripting vulnerability


Note: IBM HTTP Server 6.0.2.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 25 (6.0.2.25)
Fix release date: 21 January 2008
Last modified: 21 January 2008
Status: Superseded

Download information

APAR Description
PK48505 mod_deflate should not process metadata buckets as data
PK52726 Allow Certificate Revocation List support to be used on HP-UX


Note: IBM HTTP Server 6.0.2.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.



Fix Pack 23 (6.0.2.23)
Fix release date: 12 October 2007
Last modified: 12 October 2007
Status: Superseded

Download information

APAR Description
PK50467 CVE-2007-3304 MPM signalling vulnerability
PK48412 IBM HTTP SERVER logs bad date when certificate has expired
PK50469 CVE-2007-3847 proxy buffer over-read vulnerability
PK50460 mod_deflate does not work with vary headers
PK49295 CVE-2006-5752 mod_status cross-site scripting vulnerability
CVE-2007-1863 mod_cache crash with malicious request
PK48606 IBM HTTP Server shared object fails to load at run-time on RHEL 5


Note: IBM HTTP Server 6.0.2.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.



Fix Pack 21 (6.0.2.21)
Fix release date: 20 July 2007
Last modified: 20 July 2007
Status: Superseded

Download information

APAR Description
PK35968 updateinstaller does not check the current IBM® HTTP Server level before allowing the install to take place
PK42913 updating IBM HTTP Server does not update the IHS.product file correctly
PK45328 Single DES is no longer an approved FIPS-140 security function
PK45277 Segmentation fault occurs when pidfile does not exist on web server start
PK45296 mod_ibm_ldap possible crash from uninitialized memory
PK44274 ProxyErrorOverride should not affect redirects
PK37809 Empty response was sent for cached static files after revalidation timeout


Fix Pack 19 (6.0.2.19)
Fix release date: 27 April 2007
Last modified: 27 April 2007
Status: Superseded

Download information

APAR Description
PK39018 Restart SIDD if it crashes or exits unexpectedly
PK38839 Allow coredumps and other serviceability data for SIGFPE
PK34981 The IBM HTTP Server administrative console incorrectly reports the
stop/start status of the IBM HTTP Server
PK35675 mod_mem_cache crashes when used with client certificate authentication
PK34180 Fix incorrect 304 responses for objects which have expired from the cache
PK31460 Fix handling of non-200 success status codes when
"ProxyErrorOverride On" is configured.
PK30837 mod_ibm_ldap problems when enabled in .htaccess files
PK37731 no client certificate prompt when multiple SSL vhosts
configured
PK33253 SSL virtualhosts unable to perform SSLV3 handshake when keyfile directive has been specified with an invalid parameter


Fix Pack 15 (6.0.2.15)
Fix release date: 2 October 2006
Last modified: 2 October 2006
Status: Superseded

Download information

APAR Description
PK28348 There is a bug in the handling of cgid directives inside virtualhosts when using ScriptStock directive.
PK28359 Message "SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file" occurs using n-cipher card.
PK29154 CVE-2006-3747 mod_rewrite error


Fix Pack 13 (6.0.2.13)
Fix release date: 14 August 2006
Last modified: 14 August 2006
Status: Superseded

Download information

APAR Description
PK21998 PROVIDE DIRECTIVE FOR DISABLING INDIVIDUAL SSL PROTOCOL
PK24631 CVE-2006-3918 HTTP EXPECT HEADER VALUE CAN BE ECHOED TO BROWSER UNESCAPED
PK24686 CGI ON UNIX AND LINUX CANNOT SEE PATH TO SCRIPT IN ARG0
PK22995 EXCESSIVE CHILD PROCESS CREATION DURING STARTUP.
PK25428 6.0.X IBM HTTP Server ADMINISTRATION SERVER PERIODICALLY SEGFAULTS WITH __READ_NOCANCEL IN /LIB/TLS/LIBPTHREAD.SO.0.
mod_cache: Fix inconsistent results from requests which are implemented as subrequests.
Correct a problem with ikeyman.bat on Windows 2000


Fix Pack 11 (6.0.2.11)
Fix release date: 19 June 2006
Last modified: 19 June 2006
Status: Superseded

Download information

APAR Description
PK20167 INSTALLATION OF REFRESH PACK 2 FOR IBM HTTP SERVER VERSION 6.0.2 IS PARTIAL DUE TO USING THE WRONG BASEDIR FOR INSTALLING GSKIT.
PK22485 IBM HTTP Server MEMORY LEAK IF FILES BEING SERVED ARE TRUNCATED
PK23962 IKEYMAN.BAT ON MICROSOFT® WINDOWS FAILS WITH GSKIT 7.0.3.20
htdbm crash with -d option on HP-UX/ia64
allow diagnostic modules to track activity in log-transaction hook


Fix Pack 9 (6.0.2.9)
Fix release date: 14 April 2006
Last modified: 14 April 2006
Status: Superseded

Download information

APAR Description
PK20184 crashes related to mod_ibm_ssl and mod_ext_filter
PK20050 HTTP status line problem with WebSphere plug-in and byterange filter
PK17802 mod_speling crash with WebSphere request
PK13784 GSKit upgrade to 7.0.3.20 (except for HP-UX/PA-RISC)
PK17867 provide mod_ibm_ldap LDAPCodePageDir directive
PK19060 mod_ibm_ldap doesn't retry request when server timed out connection
PK18642 mod_ibm_ldap memory leak
PK19865 ikeyman won't start on AIX due to JAVA_HOME setting
mod_ibm_ssl now removes null ciphers from default list of supported ciphers
Apache.exe -V on Windows and apachectl -V on other platforms now displays CVE ids of applicable Apache vulnerabilities resolved in this level of IBM HTTP Server


Fix Pack 7 (6.0.2.7)
Fix release date: 13 February 2006
Last modified: 13 February 2006
Status: Superseded

Download information

APAR Description
PK13453 CLIENT CERTIFICATE IS REQUESTED AND NOT PROVIDED, GSKIT ON THE SUBSEQUENT CONNECTION FINDS AND DELETES THE ORIGINAL SESSION ID.
PK13858 IBM HTTP SERVER CONTENT-LENGTH HEADER REMOVED FROM PROXIED REQUESTS
PK15553 MOD_INCLUDE PARSER OMITS PARTS OF OUTPUT STREAM
Prevent hosts with SSLProxyEngine On from covering up failed initialization of primary SSL environment.
Enable TLS protocol in the GSKit proxy environment to allow for connections to backends using FIPS ciphers.
PK15926 MOD_IBM_LDAP CONFLICT WITH OPENLDAP WHEN /ETC/NSSWITCH.CONF USES LDAP FOR GROUP LOOKUPS
PK16390 IBM HTTP Server 6.0 MAINTENANCE INSTALLATION DISK SPACE REQUIREMENTS ARE LARGER THEN NEEDED


Fix Pack 3 (6.0.2.3)
Fix release date: 28 October 2005
Last modified: 28 October 2005
Status: Superseded

Download information

APAR Description
CAN-2005-2970 worker MPM memory leak after aborted connection (non-Windows platforms)
Prevent double-free of GSKit memory during stop or restart which sometimes caused a coredump (non-Windows platforms)
Prevent double-free when an error occurred reading data from sidd. (non-Windows platforms only)
PK11929 CAN-2005-2491 Fix integer overflow in PCRE which leads to a heap-based buffer overflow.
CAN-2005-2728 Fix byte-range filter which allowed remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
Handle strerror() returning NULL on Solaris, resolving possible crashes when writing to the error log.
Handle SSL requests where FIN is received from the client on Keepalive connections before the response is written.
sidd now reports specific error code and filename when its trace or error log can't be opened.
Fixed swapped references to ciphers 62 and 64. his resulted in SSLCipher* directives operating on the wrong cipher (i.e. using 64 if 62 had been specified).
Fix SSL handling of Timeout values larger than 2000 seconds, resolving SSL handshake failures
PK09327 IIBM HTTP Server ADMINISTRATION RUNNING ON 64 BIT FAILS TO PROPAGATE THE FILES FROM WEBSPHERE APPLICATION SERVER TO IBM HTTP Server.
PK08359 IBM HTTP Server 6.0 ADMINISTRATION SERVICE CANNOT START AS NON-ROOT, NOR CAN RUN MULTIPLE CONCURRENT INSTANCES ON SAME MACHINE.
PK10954 IBM HTTP Server WILL NOT START LOADING THE LDAP MODULE ON (RH4,PPC64)


Fix Pack 1 (6.0.2.1)
Fix release date: 02 September 2005
Last modified: 02 September 2005
Status: Superseded

Download information

APAR Description
PK07831 INCOMPATIBILITY BETWEEN IBM HTTP SERVER AND CERTAIN GSKIT LEVELS
PK07747 IBM HTTP Server VIRTUAL HOST NO LONGER WORKS AFTER INSTALLATION OF MICROSOFT SECURITY PATCH MS05-019
CAN-2005-2088 preventative measures to prevent HTTP request smuggling, from Apache 2.1.6 and future Apache 2.0.55
mod_ibm_ssl: include client IP address on many messages
mod_ibm_ssl: improve reporting of many SSL communication errors
IBM HTTP Server 2.0.X EXITS DUE TO TRANSIENT THREAD CREATION ERRORS. UNIX ONLY
PK05830 IBM HTTP Server 2.0 AND HIGHER ON ALL UNIX PLATFORMS CAN HANG WHEN WRITING LOG RECS TO A PIPED LOGGER, ROTATELOGS, DURING GRACEFUL RESTART.
PK05957 SHIFT_JIS IS DISPLAYED IN ERROR RESPONSE CAUSING BAD CHARACTERS.
Set REDIRECT_REMOTE_USER for redirection of authenticated requests
worker mpm: lower severity of mutex "error" message which can occur normally during restart
display time taken to process request in mod_status
mod_proxy: Handle client-aborted connections correctly
mod_mime_magic on Windows: support magic files with native line endings
support SHA1 passwords for mod_auth and mod_auth_dbm
support SendBufferSize on Windows operating systems
start piped loggers via the shell on UNIX platforms, to support redirection
mod_cgid: Fix buffer overflow processing ScriptSock directive
mod_ibm_ldap: put timestamp on ldap trace records for correlation with other logs
mod_ibm_ldap: return authorization error instead of internal server error when password has expired
mod_ibm_ldap: add configuration control over whether or not referrals are chased via "LdapReferrals [On|Off]" and "LdapReferralHopLimit nnn"
mod_ibm_ldap: add rebind support for improved compatibility with Microsoft Active Directory 2003


Refresh Pack 2 (6.0.2)
Fix release date: 11 July 2005
Last modified: 11 July 2005
Status: Recommended

Download information

APAR Description
Fix storage corruption problem with mod_userdir+suexec processing
Fix memory leak in the cache handling of mod_rewrite
Fix problem with default service name on Windows with 6.0.1.
Service name is 6.0 for life of 6.0.x release.
IBM HTTP SERVER HIGH CPU USAGE DUE TO INEFFICIENT READING OF REWRITEMAP FILES.
dbmmanage: Select the database format which is accepted by IBM HTTP Server
Set RH variable to indicate which module handled or failed the request
Fix a servlet timeout when a POST response page contains SSI tags
fix mod_fastcgi incompatibility with WebSphere plug-in
rename zlib symbols used by mod_deflate to avoid collision with third-party modules
fix ownership of sidd socket if IBM HTTP Server started as non-root on HP-UX platforms
PK00175 CORRUPTION OF LIBPATH ENVIRONMENT VARIABLE BY MOD_IBM_SSL PREVENTS SITEMINDER FROM STARTING EXTERNAL LLAWP PROCESS.
add "/server-status?showmodule" support for displaying name of
module where request is stuck; ihsdiag 1.4.0 also exploits this support
PQ86346 Segmentation Fault IBM HTTP Server w/ nss_ldap

Related information

Fixes by version for IBM HTTP Server
Recommended fixes for IBM HTTP Server

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server AIX, HP-UX, Linux, Solaris, Windows

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM HTTP Server
Install

Software version:

6.0.2, 6.0.2.1, 6.0.2.3, 6.0.2.7, 6.0.2.9, 6.0.2.11, 6.0.2.13, 6.0.2.15, 6.0.2.19, 6.0.2.21, 6.0.2.23, 6.0.2.25, 6.0.2.27, 6.0.2.29, 6.0.2.31, 6.0.2.33, 6.0.2.35, 6.0.2.37, 6.0.2.39, 6.0.2.41, 6.0.2.43

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

7007033

Modified date:

2010-09-26

Translate my page

Machine Translation

Content navigation