Product documentation
Abstract
IBM HTTP Server provides periodic fixes for release 6.1. The following is a complete listing of fixes for Version 6.1 with the most recent fix at the top.
Content
| Back to all versions |
Note: There is no Fix Pack 1 or Fix Pack 4 delivered for IBM HTTP Server. Fix Pack 2 is the first maintenance Fix Pack delivered for IBM HTTP Server V6.1, then odd numbered Fix Packs going forward.
| Fix release date: 24 September 2012 Last modified: 24 September 2012 Status: Recommended |
|
| APAR | Description |
| PM58899 | CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup |
| PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site |
| PM62011 | mod_log_config: The wrong cookie can be logged |
| PM66218 | Upgrade bundled GSKit security library |
Note: IBM HTTP Server 6.1.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
| Fix release date: 19 March 2012 Last modified: 19 March 2012 Status: Superseded |
|
| APAR | Description |
| PM48384 | CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together. http://xforce.iss.net/xforce/xfdb/70336 |
| PM55760 | CVE-2012-0031: Possible parent process crash when untrusted code is run in child. |
| PM56128 | CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site. |
| PM52351 | SSLCLientAuth Required_reset is not enforced for SSLv2 connections http://xforce.iss.net/xforce/xfdb/73749 |
Note: IBM HTTP Server 6.1.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
| Fix release date: 07 Nov 2011 Last modified: 07 Nov 2011 Status: Superseded |
|
| APAR | Description |
| PM46234 | CVE-2011-3192: Potential Denial of Service with malicious range requests http://xforce.iss.net/xforce/xfdb/69396 |
| PM27886 | Upgrade bundled GSKit security library including secure SSL renegotiation |
| PM44816 | Provide end-to-end timeouts for slow requests |
Note: IBM HTTP Server 6.1.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
| Fix release date: 18 July 2011 Last modified: 18 July 2011 Status: Superseded |
|
| APAR | Description |
| PM38826 | apr_fnmatch() routine can result in high CPU with use of mod_autoindex |
| PM31189 | URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes Onl |
| PM32235 | IBM HTTP Server child process crash in mod_mem_cache |
| PM35346 | IBM HTTP Server high CPU on large responses from WebSphere Application Server |
| PM35469 | Network fragmentation occurs with SSL and mod_deflate |
Note: IBM HTTP Server 6.1.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
| Fix release date: 04 April 2011 Last modified: 04 April 2011 Status: Superseded |
|
| APAR | Description |
| PM26003 | GSKit upgrade problems during IHS and Plug-in fixpack installation |
| PM26041 | SSL forward proxy closes idle connections during graceful process exit |
Note: IBM HTTP Server 6.1.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
| Fix release date: 17 December 2010 Last modified: 17 December 2010 Status: Superseded |
|
| APAR | Description |
| PM18904 | CVE-2010-1452: mod_dav vulnerability |
| PM23263 | CVE-2010-1623: apr-util vulnerabilities http://xforce.iss.net/xforce/xfdb/62235 |
| PM24234 | CVE-20009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem |
| PM17269 | When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level |
| PM20034 | IBM HTTP Server 6.1.0.31 fix pack does not upgrade GSKIT to 7.0.4.28 on AIX |
| PM20672 | IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string |
| PM20934 | "MaxClients reached" message can occur prematurely |
Note: IBM HTTP Server 6.1.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
| Fix release date: 13 September 2010 Last modified: 13 September 2010 Status: Superseded |
|
| APAR | Description |
| PM00138 | mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI |
| PM07976 | apachectl start or stop can fail in some locales (z/OS only) |
| PM09819 | IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment |
| PM10270 | IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used |
| PM11586 | mod_ibm_ssl: Solaris shared library path environment variable may be corrupted during graceful restart with SSL loaded |
Note: IBM HTTP Server 6.1.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 10 May 2010 Last modified: 10 May 2010 Status: Superseded |
|
| APAR | Description |
| PM08939 | CVE-2010-0434: mod_headers / CVE-2010-0408 |
| PM09447 | CVE-2010-0425: mod_isapi vulnerability |
| PM07113 | Update GSKit to 7.0.4.28 |
| PK96500 | mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses |
| PK97740 | IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period |
| PK99128 | IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root |
| PK96790 | mod_deflate input filter not removing Content-Encoding |
| PK97344 | During IBM HTTP Server shutdown, child processes sometimes crash on Windows |
| PM03058 | Implement optional lingering close |
| PM03121 | mod_deflate doesn't compress internally redirected urls |
| PM01714 | SAFRunAs directive on z/OS requires the IHS userid to be permitted Read access to the BPX.SERVER FACILITY class profile |
Note: IBM HTTP Server 6.1.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 18 January 2010 Last modified: 18 January 2010 Status: Superseded |
|
| APAR | Description |
| PK91361 | CVE-2009-1891: mod_deflate vulnerability http://xforce.iss.net/xforce/xfdb/51626 |
| PK93225 | CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers |
| PK96858 | CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities http://xforce.iss.net/xforce/xfdb/53041 |
| PM00675 | CVE-2009-3555: TLS/SSL protocol MITM vulnerability More info |
| PK87717 | mod_charset_lite translates inbound HTTP request bodies |
| PK89004 | Piped logger processes left stranded at restart |
| PK91197 | Startup crash on Windows when configured to use SSL and started as a service |
| PK92520 | Request for a URI with a long file path can fail on z/OS |
| PK93106 | Cannot configure IHS response to unknown revocation status via OCSP |
| PK93112 | Disable SSLv3 protocol when SSLFIPSEnable is configured |
| PK93510 | Piped errorlog loses initialization error message |
| PK95329 | CGI variables not available to mod_ext_filter scripts for non-CGI/SSI requests |
| PK96600 | Prevent runaway forking if the accept mutex is damaged |
Note: IBM HTTP Server 6.1.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 21 September 2009 Last modified: 21 September 2009 Status: Superseded |
|
| APAR | Description |
| PK88341 | CVE-2009-0023 : Underflow in apr_strmatch_precompile & CVE-2009-1956 : apr_brigade_vprintf off-by-one overflow vulnerability http://xforce.iss.net/xforce/xfdb/50964 |
| PK88342 | CVE-2009-1955 : apr_xml_* interface vulnerability http://xforce.iss.net/xforce/xfdb/50994 |
| PK79583 | mod_ldap retrys only once, without delay, when ldap_bind fails |
| PK84656 | Slow memory leak in rotatelogs |
| PK86338 | mod_mem_cache slow memory leak |
| PK86513 | mod_ibm_ssl session ID cache daemon (SIDD) started twice in error at HTTP Server startup |
| PK87590 | %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive |
Note: IBM HTTP Server 6.1.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 16 June 2009 Last modified: 16 June 2009 Status: Superseded |
|
| APAR | Description |
| PK77458 | Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server |
| PK77969 | New log messages to explain the HTTP 403 error when PATH_MAX is exceeded |
| PK78007 | When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged |
| PK78073 | Can't configure mod_charset_lite to translate only mod_autoindex output |
| PK78128 | Set-Cookie and Set-Cookie2 headers not preserved on 304 responses |
| PK78333 | Translate 100-Continue responses to ASCII |
| PK79915 | Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates |
| PK81016 | mod_proxy_ftp cannot serve files with wildcards in their names |
| PK84899 | Failure and crash in IHS Administration Server during stop operation |
Note: IBM HTTP Server 6.1.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 16 March 2009 Last modified: 16 March 2009 Status: Superseded |
|
| APAR | Description |
| PK72236 | mod_charset_lite suppresses some browser error messages |
| PK74791 | SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake |
| PK75671 | When an invalid Expect header is received, IBM HTTP Server does not respond until timeout value has occured |
| PK75858 | The IBM HTTP Server parent process crashes while restarting piped logger if all file descriptors are exhausted |
| PK76105 | The directive 'CoreDumpDirectory' used to specify the location for locating core dumps was ignored for parent process crashes |
| PK76363 | Improve mod_mpmstats logging in IHS 6.X to display hanging modules in post_read_request hook |
Note: IBM HTTP Server 6.1.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 01 December 2008 Last modified: 01 December 2008 Status: Superseded |
|
| APAR | Description |
| PK70197 | CVE-2008-2939: mod_proxy_ftp unescaped wildcard |
| PK68182 | postinst returns an error when conf files are not present during service pack install |
| PK68392 | If a piped logger such as rotatelogs fails, a handle is leaked. On Windows, IBM HTTP Server is unable to restart the piped logger. |
| PK68688 | mod_proxy_connect may timeout when it processes incoming SSL requests where the SSL record length is between 8 and 16 kilobytes. |
| PK69212 | 'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer |
| PK70028 | mod_cgid tokenizing ISINDEX queries incorrectly resulting in NULL command line arguments not being passed to CGI scripts |
Note: IBM HTTP Server 6.1.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 15 September 2008 Last modified: 15 September 2008 Status: Superseded |
|
| APAR | Description |
| PK61608 | HTTP client certificate revocation status performance enhancement |
| PK64089 | Access log displays incorrect timezone offset |
| PK64092 | SSL0409I is sometimes logged when an SSL client disconnects |
| PK66154 | mod_cgid socket permissions problem & sidd socket permissions problem |
| PK66755 | IBM HTTP Server mod_rewrite RewriteMap directive can result in high CPU usage when thousands of strings are passed as keys |
| PK66924 | IBM HTTP Server does not correctly handle orphaned rotatelogs processes for the Windows operating system |
| PK67579 | CVE-2008-2364 HTTP proxy potential denial of service when proxying to untrusted servers |
| PK67658 | Recursive error document problem |
Note: IBM HTTP Server 6.1.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 3 June 2008 Last modified: 3 June 2008 Status: Superseded |
|
| APAR | Description |
| PK57549 | Upgrade GSKit to 7.0.4.14 |
| PK58884 | IBM HTTP Server compression; AddOutputFilterByType directive did not apply to proxy requests |
| PK59667 | CVE-2007-6388 mod_status cross-site scripting vulnerability |
| PK61452 | Server Side Includes under mod_include are unreliable with output filters |
| PK62242 | Incorrect error handling in IBM HTTP Server when SIDD is not found under server root |
Note: IBM HTTP Server 6.1.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
| Fix release date: 10 March 2008 Last modified: 10 March 2008 Status: Superseded |
|
| APAR | Description |
| PK58024 | CVE-2007-5000 mod_imap cross-site scripting vulnerability |
| PK57952 | Input method not escaped in default 413 error response |
| PK57680 | High CPU loop in mod_ibm_ssl when poll returns unexpected events |
| PK58184 | rotatelogs ignores -l option when rotating files based on size |
| PK52726 | Allow Certificate Revocation List support to be used on HP-UX |
Note: IBM HTTP Server 6.1.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.
| Fix release date: 21 November 2007 Last modified: 21 November 2007 Status: Superseded |
|
| APAR | Description |
| PK48412 | IBM HTTP Server logs bad date when certificate has expired |
| PK48505 | mod_deflate changed HTTP status to 500 for some errors |
| PK49295 | CVE-2006-5752 mod_status cross-site scripting vulnerability |
| PK49355 | CVE-2007-1863 mod_cache crash with malicious request |
| PK50460 | mod_deflate does not work with vary headers |
| PK50467 | CVE-2007-3304 MPM signalling vulnerability |
| PK50469 | CVE-2007-3847 proxy buffer over-read vulnerability |
| PK50274 | ikeyman could not create CMS key database when installed from 64-bit supplements CD |
Note: IBM HTTP Server 6.1.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.
| Fix release date: 07 September 2007 Last modified: 07 September 2007 Status: Superseded |
|
| APAR | Description |
| PK48606 | mod_ibm_ssl fails to load at run-time on RHEL 5 |
| PK45277 | Segmentation fault occurs when pidfile does not exist on Web server start |
| PK44274 | ProxyErrorOverride should not affect redirects |
| PK45296 | mod_ibm_ldap possible crash from uninitialized memory |
| PK45328 | Single DES is no longer an approved FIPS-140 security function |
| Fix release date: 15 June 2007 Last modified: 15 June 2007 Status: Superseded |
|
| APAR | Description |
| PK39018 | Restart SIDD if it exits or crashes unexpectedly |
| PK38839 | Allow collection of coredumps and other serviceability data for SIGFPE crashes |
| PK37731 | No client certificate prompt occurred with multiple SSL vhosts configured |
| PK37809 | Empty response was sent for cached static files after revalidation timeout |
| PK46546 | install_ihs command may not work for symbolic links |
| Fix release date: 5 April 2007 Last modified: 5 April 2007 Status: Superseded |
|
| APAR | Description |
| PK33253 | SSL virtualhosts unable to perform SSLV3 handshake when keyfile directive has been specified with an invalid parameter |
| PK34981 | The IBM HTTP Server administrative console incorrectly reports the stop/start status of the IBM HTTP Server |
| PK35675 | mod_mem_cache crashes when used with client certificate authentication |
| PK33959 | IBM HTTP Server service pack updates do not put correct reference values of customer's IBM HTTP Server install |
| Fix release date: 15 January 2007 Last modified: 15 January 2007 Status: Superseded |
|
| APAR | Description |
| PK31460 | Observed strange browser behavior when receiving an HTTP 302 response over SSL through the reverse proxy |
| PK33959 | IBM HTTP Server service pack updates don't put correct reference values of customer's IBM HTTP Server install |
| PK34180 | Fix incorrect 304 responses for expired cache objects |
| Fix release date: 17 November 2006 Last modified: 17 November 2006 Status: Superseded |
|
| APAR | Description |
| PK28348 | There is a bug in the handling of cgid directives inside VirtualHosts when using ScriptSock directive |
| PK28359 | Message "SSL0227E: SSL Handshake failed, specified label could not be found in the key file" occurs using n-cipher card |
| PK29154 | CVE-2006-3747 mod_rewrite error |
| PK30837 | MOD_IBM_LDAP problems when enabled in .htaccess files |
| Fix release date: 18 September 2006 Last modified: 18 September 2006 Status: Superseded |
|
| APAR | Description |
| PK21998 | Provide directive for disabling individual SSL protocol |
| PK22995 | Excessive child process creation during startup |
| PK24631 | CVE-2006-3918 HTTP expect header value can be echoed to browser unescaped |
| PK24686 | CGI on UNIX and Linux cannot see path to script in ARG0 |
| PK25428 | 6.0.x IBM HTTP Server Administration server periodically segfaults with _read_nocancel in /lib/tls/libpthread.so.0 |
| mod_cache: Fix inconsistent results from requests which are implemented as subrequests. | |
| Allow diagnostic modules to track activity in log-transaction hook |
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Application Servers | WebSphere Application Server | IBM HTTP Server | AIX, HP-UX, Linux, Solaris, Windows | Base, Express, Network Deployment |
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.