Fix list for IBM HTTP Server Version 7.0

Product documentation


Abstract

IBM HTTP Server provides periodic fixes for release 7.0. The following is a complete listing of fixes for Version 7.0 with the most recent fix at the top.

Content

Back to all versions

Fix Pack 33 (7.0.0.33)
Fix Pack 31 (7.0.0.31)
Fix Pack 29 (7.0.0.29)
Fix Pack 27 (7.0.0.27)
Fix Pack 25 (7.0.0.25)
Fix Pack 23 (7.0.0.23)
Fix Pack 21 (7.0.0.21)
Fix Pack 19 (7.0.0.19)
Fix Pack 17 (7.0.0.17)
Fix Pack 15 (7.0.0.15)
Fix Pack 13 (7.0.0.13)
Fix Pack 11 (7.0.0.11)
Fix Pack 9 (7.0.0.9)
Fix Pack 7 (7.0.0.7)
Fix Pack 5 (7.0.0.5)
Fix Pack 3 (7.0.0.3)


Note: There is no Fix Pack 1 delivered for IBM HTTP Server. Fix Pack 3 is the first maintenance Fix Pack delivered for IBM HTTP Server V7.0, then odd numbered Fix Packs going forward.





Fix Pack 33 (7.0.0.33)
Fix release date: 23 June 2014
Last modified: 23 June 2014
Status: Recommended

Download Fix Pack 33

APAR Description
PI05309 CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade).
http://www-01.ibm.com/support/docview.wss?&uid=swg21676091
PI09345 CVE-2013-6438: Potential Denial of Sevice in mod_dav for IBM HTTP Server.
http://www-01.ibm.com/support/docview.wss?&uid=swg21676091
PI09443 CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade).
http://www-01.ibm.com/support/docview.wss?&uid=swg21676091
PI13028 CVE-2014-0098: mod_log_config - Potential denial of service vulnerability
http://www-01.ibm.com/support/docview.wss?&uid=swg21676091
PI17025 CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL
http://www-01.ibm.com/support/docview.wss?&uid=swg21676091
PM97650 IBM HTTP Server does not send SIGTERM to fastCGI application
PI06366 IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6
PI08502 Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade).
PI08715 Potential mod_proxy crashes under load
PI15344 IBM HTTP Server caching issues
PI16599 Authentication failure gives LDAP error for non-LDAP configurations


Note: IBM HTTP Server 7.0.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.


Fix Pack 31 (7.0.0.31)
Fix release date: 13 January 2014
Last modified: 13 January 2014
Status: Superseded

Download Fix Pack 31

APAR Description
PM87808 CVE-2013-1862: mod_rewrite vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21661323
PM89996 CVE-2013-1896: mod_dav vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21661323
PM84215 mod_mpmstats may report incorrect values during startup or shutdown
PM89422 IHS WebDAV requests slow on Windows.
PM94008 Timed-out ldap bind and search failures on reused connections are not retried
PM94143 Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only)
PM94602 ProxyRemote fails to work with SSL requests
PM96039 The AcceptEx disablement notice should not appear in Windows Event Viewer


Note: IBM HTTP Server 7.0.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.


Fix Pack 29 (7.0.0.29)
Fix release date: 24 June 2013
Last modified: 24 June 2013
Status: Superseded

Download Fix Pack 29

APAR Description
PM76110 CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down
PM80058 CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules
http://xforce.iss.net/xforce/xfdb/82359
http://xforce.iss.net/xforce/xfdb/82360
PM85211 CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library)
http://xforce.iss.net/xforce/xfdb/81902
PM75876 The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules.
PM77980 IBM HTTP Server should not add the Server: header by default
PM78087 IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI}
PM78144 IBM HTTP Server large logformats cannot be correctly logged by piped loggers
PM79015 mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed'


Note: IBM HTTP Server 7.0.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.


Fix Pack 27 (7.0.0.27)
Fix release date: 21 January 2013
Last modified: 21 January 2013
Status: Superseded

Download Fix Pack 27

APAR Description
PM70591 IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.'
PM70994 SSLFakeBasicAuth depends on LoadModule order
PM71102 <Location> settings don't affect some mod_negotiation generated content
PM73304 Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server


Note: IBM HTTP Server 7.0.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.


Fix Pack 25 (7.0.0.25)
Fix release date: 24 September 2012
Last modified: 24 September 2012
Status: Superseded

Download Fix Pack 25

APAR Description
PM66470 CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site.
PM62011 mod_log_config: The wrong cookie can be logged
PM66218 Upgrade bundled GSKit security library


Note: IBM HTTP Server 7.0.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.


Fix Pack 23 (7.0.0.23)
Fix release date: 28 May 2012
Last modified: 28 May 2012
Status: Superseded

Download Fix Pack 23

APAR Description
PM52351 CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections.
http://xforce.iss.net/xforce/xfdb/73749
PM55760 CVE-2012-0031: Possible parent process crash when untrusted code is run in child.
http://xforce.iss.net/xforce/xfdb/72377
PM56128 CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site.
http://xforce.iss.net/xforce/xfdb/72758
PM58899 CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup
http://xforce.iss.net/xforce/xfdb/74901
PM53340 Incorrect request body handling with Expect: 100-continue.
PM54289 install_ihs script results in errors in the postinstall process. (z/OS only)
PM54387 ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only)
PM56585 mod_authnz_ldap can generate many unnecessary ldap queries while processing
'Require group'
PM57197 Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules.
PM58545 mod_perl build cannot find "OPT_INCNOEXEC" in IHS 7.0


Note: IBM HTTP Server 7.0.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.


Fix Pack 21 (7.0.0.21)
Fix release date: 16 January 2012
Last modified: 16 January 2012
Status: Superseded

Download Fix Pack 21

APAR Description
PM46234 CVE-2011-3192: Potential Denial of Service with malicious range requests​​​
http://xforce.iss.net/xforce/xfdb/69396
PM47852 CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
PM48384 CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
PM50426 CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub)
PM43037 ProxyPass broken due to ebcdic to ascii translation issue with interim response headers
PM43354 No error message for rotatelogs syntax errors
PM44635 IHS returns 500 instead of 401 for a revoked SAF userid
PM44816 Provide end-to-end timeouts for slow requests
PM45618 IHS threads can hang in ldap_bind() without any timeout
PM47429 IHS mod_ldap fails at runtime with 'SSL support failed initialization'
PM49573 IHS startup failure on Windows: 'master_main: create child process failed.'


Note: IBM HTTP Server 7.0.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.


Fix Pack 19 (7.0.0.19)
Fix release date: 12 September 2011
Last modified: 12 September 2011
Status: Superseded

Download Fix Pack 19

APAR Description
PM38826 CVE-2011-0419 apr_fnmatch() routine can result in high CPU with use of mod_autoindex
http://xforce.iss.net/xforce/xfdb/67414
PM27886 Upgrade bundled GSKit security library including secure SSL renegotiation
PM31189 URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes On
PM35469 Network fragmentation occurs with SSL and mod_deflate
PM37261 Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix
PM37405 mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired
PM38313 Piped loggers that continuously restart cause pipe and file descriptor leaks


Note: IBM HTTP Server 7.0.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.19.


Fix Pack 17 (7.0.0.17)
Fix release date: 16 May 2011
Last modified: 16 May 2011
Status: Superseded

Download Fix Pack 17

APAR Description
PM26041 SSL forward proxy closes idle connections during graceful process exit
PM31763 'Header edit' deletes multiple headers


Note: IBM HTTP Server 7.0.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.


Fix Pack 15 (7.0.0.15)
Fix release date: 28 February 2011
Last modified: 28 February 2011
Status: Superseded

Download Fix Pack 15

APAR Description
PM23263 CVE-2010-1623: apr-util vulnerabilities
http://xforce.iss.net/xforce/xfdb/62235
PM24234 CVE-2009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem
http://xforce.iss.net/xforce/xfdb/54598
http://xforce.iss.net/xforce/xfdb/52686
PM20672 IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string
PM20934 "MaxClients reached" message can occur prematurely


Note: IBM HTTP Server 7.0.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.


Fix Pack 13 (7.0.0.13)
Fix release date: 25 October 2010
Last modified: 25 October 2010
Status: Superseded

Download Fix Pack 13

APAR Description
PM16366 CVE-2010-2068: mod_proxy_http vulnerability for Windows platform
PM18904 CVE-2010-1452: mod_dav vulnerability
PM00138 mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI
PM14028 mod_deflate: Invalid Etag emitted
PM15623 mod_ldap and mod_authnz_ldap: Nested group failures
PM17269 When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level


Note: IBM HTTP Server 7.0.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.16.


Fix Pack 11 (7.0.0.11)
Fix release date: 18 June 2010
Last modified: 18 June 2010
Status: Superseded

Download Fix Pack 11

APAR Description
PM08939 CVE-2010-0434: mod_headers / CVE-2010-0408
PM07113 Update GSKit to 7.0.4.28
PM04628 gsk7cmd/gsk7capicmd parsing error on '-dn' <dist name> for organization unit (O=) with a space in the name
PM07976 apachectl start or stop can fail in some locales (z/OS only)
PM09819 IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment
PM10270 IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used


Note: IBM HTTP Server 7.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.15.


Fix Pack 9 (7.0.0.9)
Fix release date: 29 March 2010
Last modified: 29 March 2010
Status: Superseded

Download Fix Pack 9

APAR Description
PK96858 CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities
http://xforce.iss.net/xforce/xfdb/53041
PM00675 CVE-2009-3555: TLS/SSL protocol MITM vulnerability
More info
PK92520 Request for a URI with a long file path can fail on z/OS
PK96600 Prevent runaway forking if the accept mutex is damaged
PK94007 mod_mem_cache: segmentation fault
PK95497 IBM HTTP Server may fail to ignore some cache related headers even when CacheIgnoreHeaders is configured
PK96410 Intermittent error reading status line with http proxy
PK96500 mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses
PK97740 IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period
PK98225 Cache responses with s-maxage set
PK99128 IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root
PM00101 GSKit crash on Microsoft Windows 32bit or AIX operating systems plus purify
PM00136 "apachectl stop" fails if the z/OS resolver is down


Note: IBM HTTP Server 7.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.14.


Fix Pack 7 (7.0.0.7)
Fix release date: 13 November 2009
Last modified: 13 November 2009
Status: Superseded

Download Fix Pack 7

APAR Description
PK88341 CVE-2009-0023: Underflow in apr_strmatch_precompile &
CVE-2009-1956: apr_brigade_vprintf off-by-one overflow vulnerability
http://xforce.iss.net/xforce/xfdb/50964
PK88342 CVE-2009-1955: apr_xml_* interface vulnerability
http://xforce.iss.net/xforce/xfdb/50994
PK91259 CVE-2009-1890: mod_proxy_http vulnerability
PK91361 CVE-2009-1891: mod_deflate vulnerability
http://xforce.iss.net/xforce/xfdb/51626
PK93225 CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers
PK87590 %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive
PK87717 mod_charset_lite translates inbound HTTP request bodies
PK90571 When HTTP Server is configured to use SSL reverse proxy, segmentation faults may occur
PK93106 Cannot configure IHS response to unknown revocation status via OCSP
PK93112 Disable SSLv3 protocol when SSLFIPSEnable is configured
PK93510 Piped errorlog loses initialization error message


Note: IBM HTTP Server 7.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.13.


Fix Pack 5 (7.0.0.5)
Fix release date: 27 July 2009
Last modified: 27 July 2009
Status: Superseded

Download Fix Pack 5

APAR Description
PK86232 CVE-2009-1195: 'AllowOverride Options=IncludesNOEXEC' allows override of includes with exec
http://xforce.iss.net/xforce/xfdb/50808
PK77458 Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server
PK78007 When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged
PK78073 Can't configure mod_charset_lite to translate only mod_autoindex output
PK78299 Allow startup of IBM Administration Server by a non-root userid
PK78333 Translate 100-Continue responses to ASCII
PK79583 LDAP retry logic insufficient on transient LDAP errors
PK79915 Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates
PK81016 mod_proxy_ftp cannot serve files with wildcards in their names
PK81733 mod_authnz_ldap can't pass filter simple enough to support SDBM-backed LDAP (RACF over LDAP)
PK83734 Can't create CMS keyfile with IHS 7.0 from 64-bit Supplemental media on z/Linux
PK84899 Failure and crash in IHS Administration Server during stop operation


Note: IBM HTTP Server 7.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.


Fix Pack 3 (7.0.0.3)
Fix release date: 27 March 2009
Last modified: 27 March 2009
Status: Superseded

Download Fix Pack 3

APAR Description
PK72236 mod_charset_lite suppresses some browser error messages
PK74791 SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake


Note: IBM HTTP Server 7.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server AIX, HP-UX, Linux, Solaris, Windows 7.0.0.9, 7.0.0.7, 7.0.0.5, 7.0.0.3, 7.0.0.13, 7.0.0.11, 7.0.0.1, 7.0

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM HTTP Server

Software version:

7.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

7014506

Modified date:

2014-06-23

Translate my page

Machine Translation

Content navigation