Fix list for IBM HTTP Server V6.1

Product documentation


Abstract

IBM HTTP Server provides periodic fixes for release 6.1. The following is a complete listing of fixes for Version 6.1 with the most recent fix at the top.

Content

Back to all versions

Fix Pack 47 (6.1.0.47)
Fix Pack 45 (6.1.0.45)
Fix Pack 43 (6.1.0.43)
Fix Pack 41 (6.1.0.41)
Fix Pack 39 (6.1.0.39)
Fix Pack 37 (6.1.0.37)
Fix Pack 35 (6.1.0.35)
Fix Pack 33 (6.1.0.33)
Fix Pack 31 (6.1.0.31)
Fix Pack 29 (6.1.0.29)
Fix Pack 27 (6.1.0.27)
Fix Pack 25 (6.1.0.25)
Fix Pack 23 (6.1.0.23)
Fix Pack 21 (6.1.0.21)
Fix Pack 19 (6.1.0.19)
Fix Pack 17 (6.1.0.17)
Fix Pack 15 (6.1.0.15)
Fix Pack 13 (6.1.0.13)
Fix Pack 11 (6.1.0.11)
Fix Pack 9 (6.1.0.9)
Fix Pack 7 (6.1.0.7)
Fix Pack 5 (6.1.0.5)
Fix Pack 3 (6.1.0.3)
Fix Pack 2 (6.1.0.2)


Note: There is no Fix Pack 1 or Fix Pack 4 delivered for IBM HTTP Server. Fix Pack 2 is the first maintenance Fix Pack delivered for IBM HTTP Server V6.1, then odd numbered Fix Packs going forward.



Fix Pack 47 (6.1.0.47)
Fix release date: 09 September 2013
Last modified: 09 September 2013
Status: Recommended

Download Fix Pack 47

APAR Description
PM80058 CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules
http://xforce.iss.net/xforce/xfdb/82359
http://xforce.iss.net/xforce/xfdb/82360
PM85211 CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library)
http://xforce.iss.net/xforce/xfdb/81902
PM87808 CVE-2013-1862: mod_rewrite vulnerability
PM89996 CVE-2013-1896: mod_dav vulnerability
PM54387 ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only)
PM73304 Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server
PM78144 IBM HTTP Server large logformats cannot be correctly logged by piped loggers
PM83409 Cookie values containing an '=' are incorrectly logged.

Note: IBM HTTP Server 6.1.0.47 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.65.



Fix Pack 45 (6.1.0.45)
Fix release date: 24 September 2012
Last modified: 24 September 2012
Status: Superseded

Download Fix Pack 45

APAR Description
PM58899 CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup
PM66470 CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site
PM62011 mod_log_config: The wrong cookie can be logged
PM66218 Upgrade bundled GSKit security library

Note: IBM HTTP Server 6.1.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix Pack 43 (6.1.0.43)
Fix release date: 19 March 2012
Last modified: 19 March 2012
Status: Superseded

Download Fix Pack 43

APAR Description
PM48384 CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
http://xforce.iss.net/xforce/xfdb/70336
PM55760 CVE-2012-0031: Possible parent process crash when untrusted code is run in child.
PM56128 CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site.
PM52351 SSLCLientAuth Required_reset is not enforced for SSLv2 connections
http://xforce.iss.net/xforce/xfdb/73749

Note: IBM HTTP Server 6.1.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix Pack 41 (6.1.0.41)
Fix release date: 07 Nov 2011
Last modified: 07 Nov 2011
Status: Superseded

Download Fix Pack 41

APAR Description
PM46234 CVE-2011-3192: Potential Denial of Service with malicious range requests​​
http://xforce.iss.net/xforce/xfdb/69396​​
PM27886 Upgrade bundled GSKit security library including secure SSL renegotiation
PM44816 Provide end-to-end timeouts for slow requests

Note: IBM HTTP Server 6.1.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix Pack 39 (6.1.0.39)
Fix release date: 18 July 2011
Last modified: 18 July 2011
Status: Superseded

Download Fix Pack 39

APAR Description
PM38826 apr_fnmatch() routine can result in high CPU with use of mod_autoindex
PM31189 URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes Onl
PM32235 IBM HTTP Server child process crash in mod_mem_cache
PM35346 IBM HTTP Server high CPU on large responses from WebSphere Application Server
PM35469 Network fragmentation occurs with SSL and mod_deflate

Note: IBM HTTP Server 6.1.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix Pack 37 (6.1.0.37)
Fix release date: 04 April 2011
Last modified: 04 April 2011
Status: Superseded

Download Fix Pack 37

APAR Description
PM26003 GSKit upgrade problems during IHS and Plug-in fixpack installation
PM26041 SSL forward proxy closes idle connections during graceful process exit

Note: IBM HTTP Server 6.1.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix Pack 35 (6.1.0.35)
Fix release date: 17 December 2010
Last modified: 17 December 2010
Status: Superseded

Download Fix Pack 35

APAR Description
PM18904 CVE-2010-1452: mod_dav vulnerability
PM23263 CVE-2010-1623: apr-util vulnerabilities
http://xforce.iss.net/xforce/xfdb/62235
PM24234 CVE-20009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem
PM17269 When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level
PM20034 IBM HTTP Server 6.1.0.31 fix pack does not upgrade GSKIT to 7.0.4.28 on AIX
PM20672 IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string
PM20934 "MaxClients reached" message can occur prematurely

Note: IBM HTTP Server 6.1.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix Pack 33 (6.1.0.33)
Fix release date: 13 September 2010
Last modified: 13 September 2010
Status: Superseded

Download Fix Pack 33

APAR Description
PM00138 mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI
PM07976 apachectl start or stop can fail in some locales (z/OS only)
PM09819 IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment
PM10270 IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used
PM11586 mod_ibm_ssl: Solaris shared library path environment variable may be corrupted during graceful restart with SSL loaded

Note: IBM HTTP Server 6.1.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 31 (6.1.0.31)
Fix release date: 10 May 2010
Last modified: 10 May 2010
Status: Superseded

Download Fix Pack 31

APAR Description
PM08939 CVE-2010-0434: mod_headers / CVE-2010-0408
PM09447 CVE-2010-0425: mod_isapi vulnerability
PM07113 Update GSKit to 7.0.4.28
PK96500 mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses
PK97740 IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period
PK99128 IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root
PK96790 mod_deflate input filter not removing Content-Encoding
PK97344 During IBM HTTP Server shutdown, child processes sometimes crash on Windows
PM03058 Implement optional lingering close
PM03121 mod_deflate doesn't compress internally redirected urls
PM01714 SAFRunAs directive on z/OS requires the IHS userid to be permitted Read access to the BPX.SERVER FACILITY class profile

Note: IBM HTTP Server 6.1.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 29 (6.1.0.29)
Fix release date: 18 January 2010
Last modified: 18 January 2010
Status: Superseded

Download Fix Pack 29

APAR Description
PK91361 CVE-2009-1891: mod_deflate vulnerability
http://xforce.iss.net/xforce/xfdb/51626
PK93225 CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers
PK96858 CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities
http://xforce.iss.net/xforce/xfdb/53041
PM00675 CVE-2009-3555: TLS/SSL protocol MITM vulnerability
More info
PK87717 mod_charset_lite translates inbound HTTP request bodies
PK89004 Piped logger processes left stranded at restart
PK91197 Startup crash on Windows when configured to use SSL and started as a service
PK92520 Request for a URI with a long file path can fail on z/OS
PK93106 Cannot configure IHS response to unknown revocation status via OCSP
PK93112 Disable SSLv3 protocol when SSLFIPSEnable is configured
PK93510 Piped errorlog loses initialization error message
PK95329 CGI variables not available to mod_ext_filter scripts for non-CGI/SSI requests
PK96600 Prevent runaway forking if the accept mutex is damaged

Note: IBM HTTP Server 6.1.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 27 (6.1.0.27)
Fix release date: 21 September 2009
Last modified: 21 September 2009
Status: Superseded

Download Fix Pack 27

APAR Description
PK88341 CVE-2009-0023 : Underflow in apr_strmatch_precompile &
CVE-2009-1956 : apr_brigade_vprintf off-by-one overflow vulnerability
http://xforce.iss.net/xforce/xfdb/50964
PK88342 CVE-2009-1955 : apr_xml_* interface vulnerability
http://xforce.iss.net/xforce/xfdb/50994
PK79583 mod_ldap retrys only once, without delay, when ldap_bind fails
PK84656 Slow memory leak in rotatelogs
PK86338 mod_mem_cache slow memory leak
PK86513 mod_ibm_ssl session ID cache daemon (SIDD) started twice in error at HTTP Server startup
PK87590 %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive

Note: IBM HTTP Server 6.1.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 25 (6.1.0.25)
Fix release date: 16 June 2009
Last modified: 16 June 2009
Status: Superseded

Download Fix Pack 25

APAR Description
PK77458 Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server
PK77969 New log messages to explain the HTTP 403 error when PATH_MAX is exceeded
PK78007 When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged
PK78073 Can't configure mod_charset_lite to translate only mod_autoindex output
PK78128 Set-Cookie and Set-Cookie2 headers not preserved on 304 responses
PK78333 Translate 100-Continue responses to ASCII
PK79915 Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates
PK81016 mod_proxy_ftp cannot serve files with wildcards in their names
PK84899 Failure and crash in IHS Administration Server during stop operation

Note: IBM HTTP Server 6.1.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 23 (6.1.0.23)
Fix release date: 16 March 2009
Last modified: 16 March 2009
Status: Superseded

Download Fix Pack 23

APAR Description
PK72236 mod_charset_lite suppresses some browser error messages
PK74791 SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake
PK75671 When an invalid Expect header is received, IBM HTTP Server does not respond until timeout value has occured
PK75858 The IBM HTTP Server parent process crashes while restarting piped logger if all file descriptors are exhausted
PK76105 The directive 'CoreDumpDirectory' used to specify the location for locating core dumps was ignored for parent process crashes
PK76363 Improve mod_mpmstats logging in IHS 6.X to display hanging modules in post_read_request hook


Note: IBM HTTP Server 6.1.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 21 (6.1.0.21)
Fix release date: 01 December 2008
Last modified: 01 December 2008
Status: Superseded

Download Fix Pack 21

APAR Description
PK70197 CVE-2008-2939: mod_proxy_ftp unescaped wildcard
PK68182 postinst returns an error when conf files are not present during service pack install
PK68392 If a piped logger such as rotatelogs fails, a handle is leaked. On Windows, IBM HTTP Server is unable to restart the piped logger.
PK68688 mod_proxy_connect may timeout when it processes incoming SSL requests where the SSL record length is between 8 and 16 kilobytes.
PK69212 'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer
PK70028 mod_cgid tokenizing ISINDEX queries incorrectly resulting in NULL command line arguments not being passed to CGI scripts


Note: IBM HTTP Server 6.1.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 19 (6.1.0.19)
Fix release date: 15 September 2008
Last modified: 15 September 2008
Status: Superseded

Download Fix Pack 19

APAR Description
PK61608 HTTP client certificate revocation status performance enhancement
PK64089 Access log displays incorrect timezone offset
PK64092 SSL0409I is sometimes logged when an SSL client disconnects
PK66154 mod_cgid socket permissions problem & sidd socket permissions problem
PK66755 IBM HTTP Server mod_rewrite RewriteMap directive can result in high CPU usage when thousands of strings are passed as keys
PK66924 IBM HTTP Server does not correctly handle orphaned rotatelogs processes for the Windows operating system
PK67579 CVE-2008-2364 HTTP proxy potential denial of service when proxying to untrusted servers
PK67658 Recursive error document problem


Note: IBM HTTP Server 6.1.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 17 (6.1.0.17)
Fix release date: 3 June 2008
Last modified: 3 June 2008
Status: Superseded

Download Fix Pack 17

APAR Description
PK57549 Upgrade GSKit to 7.0.4.14
PK58884 IBM HTTP Server compression; AddOutputFilterByType directive did not apply to proxy requests
PK59667 CVE-2007-6388 mod_status cross-site scripting vulnerability
PK61452 Server Side Includes under mod_include are unreliable with output filters
PK62242 Incorrect error handling in IBM HTTP Server when SIDD is not found under server root


Note: IBM HTTP Server 6.1.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix Pack 15 (6.1.0.15)
Fix release date: 10 March 2008
Last modified: 10 March 2008
Status: Superseded

Download Fix Pack 15

APAR Description
PK58024 CVE-2007-5000 mod_imap cross-site scripting vulnerability
PK57952 Input method not escaped in default 413 error response
PK57680 High CPU loop in mod_ibm_ssl when poll returns unexpected events
PK58184 rotatelogs ignores -l option when rotating files based on size
PK52726 Allow Certificate Revocation List support to be used on HP-UX


Note: IBM HTTP Server 6.1.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.



Fix Pack 13 (6.1.0.13)
Fix release date: 21 November 2007
Last modified: 21 November 2007
Status: Superseded

Download Fix Pack 13

APAR Description
PK48412 IBM HTTP Server logs bad date when certificate has expired
PK48505 mod_deflate changed HTTP status to 500 for some errors
PK49295 CVE-2006-5752 mod_status cross-site scripting vulnerability
PK49355 CVE-2007-1863 mod_cache crash with malicious request
PK50460 mod_deflate does not work with vary headers
PK50467 CVE-2007-3304 MPM signalling vulnerability
PK50469 CVE-2007-3847 proxy buffer over-read vulnerability
PK50274 ikeyman could not create CMS key database when installed from 64-bit supplements CD


Note: IBM HTTP Server 6.1.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.



Fix Pack 11 (6.1.0.11)
Fix release date: 07 September 2007
Last modified: 07 September 2007
Status: Superseded

Download Fix Pack 11

APAR Description
PK48606 mod_ibm_ssl fails to load at run-time on RHEL 5
PK45277 Segmentation fault occurs when pidfile does not exist on Web server start
PK44274 ProxyErrorOverride should not affect redirects
PK45296 mod_ibm_ldap possible crash from uninitialized memory
PK45328 Single DES is no longer an approved FIPS-140 security function



Fix Pack 9 (6.1.0.9)
Fix release date: 15 June 2007
Last modified: 15 June 2007
Status: Superseded

Download Fix Pack 9

APAR Description
PK39018 Restart SIDD if it exits or crashes unexpectedly
PK38839 Allow collection of coredumps and other serviceability data for SIGFPE crashes
PK37731 No client certificate prompt occurred with multiple SSL vhosts configured
PK37809 Empty response was sent for cached static files after revalidation timeout
PK46546 install_ihs command may not work for symbolic links



Fix Pack 7 (6.1.0.7)
Fix release date: 5 April 2007
Last modified: 5 April 2007
Status: Superseded

Download Fix Pack 7

APAR Description
PK33253 SSL virtualhosts unable to perform SSLV3 handshake when keyfile directive has been specified with an invalid parameter
PK34981 The IBM HTTP Server administrative console incorrectly reports the stop/start status of the IBM HTTP Server
PK35675 mod_mem_cache crashes when used with client certificate authentication
PK33959 IBM HTTP Server service pack updates do not put correct reference values of customer's IBM HTTP Server install



Fix Pack 5 (6.1.0.5)
Fix release date: 15 January 2007
Last modified: 15 January 2007
Status: Superseded

Download Fix Pack 5

APAR Description
PK31460 Observed strange browser behavior when receiving an HTTP 302 response over SSL through the reverse proxy
PK33959 IBM HTTP Server service pack updates don't put correct reference values of customer's IBM HTTP Server install
PK34180 Fix incorrect 304 responses for expired cache objects



Fix Pack 3 (6.1.0.3)
Fix release date: 17 November 2006
Last modified: 17 November 2006
Status: Superseded

Download Fix Pack 3

APAR Description
PK28348 There is a bug in the handling of cgid directives inside VirtualHosts when using ScriptSock directive
PK28359 Message "SSL0227E: SSL Handshake failed, specified label could not be found in the key file" occurs using n-cipher card
PK29154 CVE-2006-3747 mod_rewrite error
PK30837 MOD_IBM_LDAP problems when enabled in .htaccess files



Fix Pack 2 (6.1.0.2)
Fix release date: 18 September 2006
Last modified: 18 September 2006
Status: Superseded

Download Fix Pack 2

APAR Description
PK21998 Provide directive for disabling individual SSL protocol
PK22995 Excessive child process creation during startup
PK24631 CVE-2006-3918 HTTP expect header value can be echoed to browser unescaped
PK24686 CGI on UNIX and Linux cannot see path to script in ARG0
PK25428 6.0.x IBM HTTP Server Administration server periodically segfaults with _read_nocancel in /lib/tls/libpthread.so.0
mod_cache: Fix inconsistent results from requests which are implemented as subrequests.
Allow diagnostic modules to track activity in log-transaction hook

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server AIX, HP-UX, Linux, Solaris, Windows Base, Express, Network Deployment

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM HTTP Server

Software version:

6.1, 6.1.0.2, 6.1.0.3, 6.1.0.5, 6.1.0.7, 6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31, 6.1.0.33, 6.1.0.35, 6.1.0.37, 6.1.0.39, 6.1.0.41, 6.1.0.43, 6.1.0.45, 6.1.0.47

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

7008517

Modified date:

2013-10-25

Translate my page

Machine Translation

Content navigation