Fix list for IBM HTTP Server Version 7.0

Back to all versions

---

	Fix Pack 27 (7.0.0.27)
	Fix Pack 25 (7.0.0.25)
	Fix Pack 23 (7.0.0.23)
	Fix Pack 21 (7.0.0.21)
	Fix Pack 19 (7.0.0.19)
	Fix Pack 17 (7.0.0.17)
	Fix Pack 15 (7.0.0.15)
	Fix Pack 13 (7.0.0.13)
	Fix Pack 11 (7.0.0.11)
	Fix Pack 9 (7.0.0.9)
	Fix Pack 7 (7.0.0.7)
	Fix Pack 5 (7.0.0.5)
	Fix Pack 3 (7.0.0.3)

Note: There is no Fix Pack 1 delivered for IBM HTTP Server. Fix Pack 3 is the first maintenance Fix Pack delivered for IBM HTTP Server V7.0, then odd numbered Fix Packs going forward.

---

Fix Pack 27 (7.0.0.27)
Fix release date: 21 January 2013 Last modified: 21 January 2013 Status: Recommended Download Fix Pack 27	Back to Top

APAR	Description
PM70591	IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.'
PM70994	SSLFakeBasicAuth depends on LoadModule order
PM71102	<Location> settings don't affect some mod_negotiation generated content
PM73304	Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server

Note: IBM HTTP Server 7.0.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.

Fix Pack 25 (7.0.0.25)
Fix release date: 24 September 2012 Last modified: 24 September 2012 Status: Superseded Download Fix Pack 25	Back to Top

APAR	Description
PM66470	CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site.
PM62011	mod_log_config: The wrong cookie can be logged
PM66218	Upgrade bundled GSKit security library

Note: IBM HTTP Server 7.0.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.

Fix Pack 23 (7.0.0.23)
Fix release date: 28 May 2012 Last modified: 28 May 2012 Status: Superseded Download Fix Pack 23	Back to Top

APAR	Description
PM52351	CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections. http://xforce.iss.net/xforce/xfdb/73749
PM55760	CVE-2012-0031: Possible parent process crash when untrusted code is run in child. http://xforce.iss.net/xforce/xfdb/72377
PM56128	CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site. http://xforce.iss.net/xforce/xfdb/72758
PM58899	CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup http://xforce.iss.net/xforce/xfdb/74901
PM53340	Incorrect request body handling with Expect: 100-continue.
PM54289	install_ihs script results in errors in the postinstall process. (z/OS only)
PM54387	ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only)
PM56585	mod_authnz_ldap can generate many unnecessary ldap queries while processing 'Require group'
PM57197	Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules.
PM58545	mod_perl build cannot find "OPT_INCNOEXEC" in IHS 7.0

Note: IBM HTTP Server 7.0.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.

Fix Pack 21 (7.0.0.21)
Fix release date: 16 January 2012 Last modified: 16 January 2012 Status: Superseded Download Fix Pack 21	Back to Top

APAR	Description
PM46234	CVE-2011-3192: Potential Denial of Service with malicious range requests​​​ http://xforce.iss.net/xforce/xfdb/69396
PM47852	CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
PM48384	CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
PM50426	CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub)
PM43037	ProxyPass broken due to ebcdic to ascii translation issue with interim response headers
PM43354	No error message for rotatelogs syntax errors
PM44635	IHS returns 500 instead of 401 for a revoked SAF userid
PM44816	Provide end-to-end timeouts for slow requests
PM45618	IHS threads can hang in ldap_bind() without any timeout
PM47429	IHS mod_ldap fails at runtime with 'SSL support failed initialization'
PM49573	IHS startup failure on Windows: 'master_main: create child process failed.'

Note: IBM HTTP Server 7.0.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.

Fix Pack 19 (7.0.0.19)
Fix release date: 12 September 2011 Last modified: 12 September 2011 Status: Superseded Download Fix Pack 19	Back to Top

APAR	Description
PM38826	CVE-2011-0419 apr_fnmatch() routine can result in high CPU with use of mod_autoindex http://xforce.iss.net/xforce/xfdb/67414
PM27886	Upgrade bundled GSKit security library including secure SSL renegotiation
PM31189	URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes On
PM35469	Network fragmentation occurs with SSL and mod_deflate
PM37261	Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix
PM37405	mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired
PM38313	Piped loggers that continuously restart cause pipe and file descriptor leaks

Note: IBM HTTP Server 7.0.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.19.

Fix Pack 17 (7.0.0.17)
Fix release date: 16 May 2011 Last modified: 16 May 2011 Status: Superseded Download Fix Pack 17	Back to Top

APAR	Description
PM26041	SSL forward proxy closes idle connections during graceful process exit
PM31763	'Header edit' deletes multiple headers

Note: IBM HTTP Server 7.0.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.

Fix Pack 15 (7.0.0.15)
Fix release date: 28 February 2011 Last modified: 28 February 2011 Status: Superseded Download Fix Pack 15	Back to Top

APAR	Description
PM23263	CVE-2010-1623: apr-util vulnerabilities http://xforce.iss.net/xforce/xfdb/62235
PM24234	CVE-2009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem http://xforce.iss.net/xforce/xfdb/54598 http://xforce.iss.net/xforce/xfdb/52686
PM20672	IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string
PM20934	"MaxClients reached" message can occur prematurely

Note: IBM HTTP Server 7.0.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.

Fix Pack 13 (7.0.0.13)
Fix release date: 25 October 2010 Last modified: 25 October 2010 Status: Superseded Download Fix Pack 13	Back to Top

APAR	Description
PM16366	CVE-2010-2068: mod_proxy_http vulnerability for Windows platform
PM18904	CVE-2010-1452: mod_dav vulnerability
PM00138	mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI
PM14028	mod_deflate: Invalid Etag emitted
PM15623	mod_ldap and mod_authnz_ldap: Nested group failures
PM17269	When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level

Note: IBM HTTP Server 7.0.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.16.

Fix Pack 11 (7.0.0.11)
Fix release date: 18 June 2010 Last modified: 18 June 2010 Status: Superseded Download Fix Pack 11	Back to Top

APAR	Description
PM08939	CVE-2010-0434: mod_headers / CVE-2010-0408
PM07113	Update GSKit to 7.0.4.28
PM04628	gsk7cmd/gsk7capicmd parsing error on '-dn' <dist name> for organization unit (O=) with a space in the name
PM07976	apachectl start or stop can fail in some locales (z/OS only)
PM09819	IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment
PM10270	IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used

Note: IBM HTTP Server 7.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.15.

Fix Pack 9 (7.0.0.9)
Fix release date: 29 March 2010 Last modified: 29 March 2010 Status: Superseded Download Fix Pack 9	Back to Top

APAR	Description
PK96858	CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities http://xforce.iss.net/xforce/xfdb/53041
PM00675	CVE-2009-3555: TLS/SSL protocol MITM vulnerability More info
PK92520	Request for a URI with a long file path can fail on z/OS
PK96600	Prevent runaway forking if the accept mutex is damaged
PK94007	mod_mem_cache: segmentation fault
PK95497	IBM HTTP Server may fail to ignore some cache related headers even when CacheIgnoreHeaders is configured
PK96410	Intermittent error reading status line with http proxy
PK96500	mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses
PK97740	IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period
PK98225	Cache responses with s-maxage set
PK99128	IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root
PM00101	GSKit crash on Microsoft Windows 32bit or AIX operating systems plus purify
PM00136	"apachectl stop" fails if the z/OS resolver is down

Note: IBM HTTP Server 7.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.14.

Fix Pack 7 (7.0.0.7)
Fix release date: 13 November 2009 Last modified: 13 November 2009 Status: Superseded Download Fix Pack 7	Back to Top

APAR	Description
PK88341	CVE-2009-0023: Underflow in apr_strmatch_precompile & CVE-2009-1956: apr_brigade_vprintf off-by-one overflow vulnerability http://xforce.iss.net/xforce/xfdb/50964
PK88342	CVE-2009-1955: apr_xml_* interface vulnerability http://xforce.iss.net/xforce/xfdb/50994
PK91259	CVE-2009-1890: mod_proxy_http vulnerability
PK91361	CVE-2009-1891: mod_deflate vulnerability http://xforce.iss.net/xforce/xfdb/51626
PK93225	CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers
PK87590	%{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive
PK87717	mod_charset_lite translates inbound HTTP request bodies
PK90571	When HTTP Server is configured to use SSL reverse proxy, segmentation faults may occur
PK93106	Cannot configure IHS response to unknown revocation status via OCSP
PK93112	Disable SSLv3 protocol when SSLFIPSEnable is configured
PK93510	Piped errorlog loses initialization error message

Note: IBM HTTP Server 7.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.13.

Fix Pack 5 (7.0.0.5)
Fix release date: 27 July 2009 Last modified: 27 July 2009 Status: Superseded Download Fix Pack 5	Back to Top

APAR	Description
PK86232	CVE-2009-1195: 'AllowOverride Options=IncludesNOEXEC' allows override of includes with exec http://xforce.iss.net/xforce/xfdb/50808
PK77458	Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server
PK78007	When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged
PK78073	Can't configure mod_charset_lite to translate only mod_autoindex output
PK78299	Allow startup of IBM Administration Server by a non-root userid
PK78333	Translate 100-Continue responses to ASCII
PK79583	LDAP retry logic insufficient on transient LDAP errors
PK79915	Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates
PK81016	mod_proxy_ftp cannot serve files with wildcards in their names
PK81733	mod_authnz_ldap can't pass filter simple enough to support SDBM-backed LDAP (RACF over LDAP)
PK83734	Can't create CMS keyfile with IHS 7.0 from 64-bit Supplemental media on z/Linux
PK84899	Failure and crash in IHS Administration Server during stop operation

Note: IBM HTTP Server 7.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.

Fix Pack 3 (7.0.0.3)
Fix release date: 27 March 2009 Last modified: 27 March 2009 Status: Superseded Download Fix Pack 3	Back to Top

APAR	Description
PK72236	mod_charset_lite suppresses some browser error messages
PK74791	SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake

Note: IBM HTTP Server 7.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.