Fix list for IBM HTTP Server Version 8.0

Product documentation


Abstract

IBM HTTP Server provides periodic fixes for release 8.0. The following is a complete listing of fixes for Version 8.0 with the most recent fix at the top.

Content

Back to all versions

Fix Pack 9 (8.0.0.9)
Fix Pack 8 (8.0.0.8)
Fix Pack 7 (8.0.0.7)
Fix Pack 6 (8.0.0.6)
Fix Pack 5 (8.0.0.5)
Fix Pack 4 (8.0.0.4)
Fix Pack 3 (8.0.0.3)
Fix Pack 2 (8.0.0.2)
Fix Pack 1 (8.0.0.1)





Fix Pack 9 (8.0.0.9)
Fix release date: 23 June 2014
Last modified: 23 June 2014
Status: Recommended

Download Fix Pack 9

APAR Description
PI05309 CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade).
http://www-01.ibm.com/support/docview.wss?&uid=swg21676092
PI09345 CVE-2013-6438: Potential Denial of Sevice in mod_dav for IBM HTTP Server.
http://www-01.ibm.com/support/docview.wss?&uid=swg21676092
PI09443 CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade).
http://www-01.ibm.com/support/docview.wss?&uid=swg21676092
PI13028 CVE-2014-0098: mod_log_config - Potential denial of service vulnerability
http://www-01.ibm.com/support/docview.wss?&uid=swg21676092
PI17025 CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL
http://www-01.ibm.com/support/docview.wss?&uid=swg21676092
PM97650 IBM HTTP Server does not send SIGTERM to fastCGI application
PI04922 IBM HTTP Server scaling/processing threads limited on 64-bit Microsoft Windows
(httpd-la)
PI06366 IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6
PI08502 Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade).
PI08715 Potential mod_proxy crashes under load
PI13422 Memory leak in GSKit 8.0.50 (GSKit upgrade)
PI15344 IBM HTTP Server caching issues
PI16599 Authentication failure gives LDAP error for non-LDAP configurations

Note: IBM HTTP Server 8.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.


Fix Pack 8 (8.0.0.8)
Fix release date: 13 January 2014
Last modified: 13 January 2014
Status: Superseded

Download Fix Pack 8

APAR Description
PM94008 Timed-out ldap bind and search failures on reused connections are not retried
PM94143 Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only)
PM94602 ProxyRemote fails to work with SSL requests
PM96039 The AcceptEx disablement notice should not appear in Windows Event Viewer

Note: IBM HTTP Server 8.0.0.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.


Fix Pack 7 (8.0.0.7)
Fix release date: 19 August 2013
Last modified: 19 August 2013
Status: Superseded

Download Fix Pack 7

APAR Description
PM85211 CVE-2013-0169: TLS Vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
PM87808 CVE-2013-1862: mod_rewrite vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
PM89996 CVE-2013-1896: mod_dav vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
PM84215 mod_mpmstats may report incorrect values during startup or shutdown
PM87247 Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive
PM89422 IHS WebDAV requests slow on Windows

Note: IBM HTTP Server 8.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.25.


Fix Pack 6 (8.0.0.6)
Fix release date: 29 April 2013
Last modified: 29 April 2013
Status: Superseded

Download Fix Pack 6

APAR Description
PM76110 CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down
PM80058 CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules
http://xforce.iss.net/xforce/xfdb/82359
http://xforce.iss.net/xforce/xfdb/82360
PM69188 Installation of IBM HTTP Server completes with a warning. Failure occurs because the system's hostname is not set.
PM70994 SSLFakeBasicAuth depends on LoadModule order
PM71102 <Location> settings don't affect some mod_negotiation generated content
PM73304 Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server
PM75876 The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules.
PM77980 IBM HTTP Server should not add the Server: header by default
PM78087 IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI}
PM78144 IBM HTTP Server large logformats cannot be correctly logged by piped loggers
PM78434 Provide end-to-end timeouts for SSL handshakes
PM79015 mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed'
PM80235 NIST SP800-131a support for IBM HTTP Server

Note: IBM HTTP Server 8.0.0.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.


Fix Pack 5 (8.0.0.5)
Fix release date: 12 November 2012
Last modified: 12 November 2012
Status: Superseded

Download Fix Pack 5

APAR Description
PM66470 CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site
PM72915 TLS compression should be disabled by default in IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21611881
PM63634 admin.password file was reset after installing fix pack
PM68007 Non-root IBM HTTP Server install fails if primary group has no name
PM70591 IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.'
PM71612 Additional non-serviceable files added for IBM HTTP Server.

Note: IBM HTTP Server 8.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.


Fix Pack 4 (8.0.0.4)
Fix release date: 06 August 2012
Last modified: 06 August 2012
Status: Superseded

Download Fix Pack 4

APAR Description
PM58899 CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup
http://xforce.iss.net/xforce/xfdb/74901
PM66218 Upgrade bundled GSKit security library
http://www-01.ibm.com/support/docview.wss?&uid=swg21606096
PM56585 mod_authnz_ldap can generate many unnecessary ldap queries while processing 'Require group'
PM57197 Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules.
PM58545 mod_perl build cannot find "OPT_INCNOEXEC"
PM62011 mod_log_config: The wrong cookie can be logged

Note: IBM HTTP Server 8.0.0.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.


Fix Pack 3 (8.0.0.3)
Fix release date: 16 April 2012
Last modified: 16 April 2012
Status: Superseded

Download Fix Pack 3

APAR Description
PM52351 CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections.
PM55760 CVE-2012-0031: Possible parent process crash when untrusted code is run in child.
PM56128 CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site.
http://xforce.iss.net/xforce/xfdb/72758
PM53340 Incorrect request body handling with Expect: 100-continue.
PM54289 install_ihs script results in errors in the postinstall process. (z/OS only)
PM54387 ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only)

Note: IBM HTTP Server 8.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.


Fix Pack 2 (8.0.0.2)
Fix release date: 16 January 2012
Last modified: 16 January 2012
Status: Superseded

Download Fix Pack 2

APAR Description
PM47852 CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
PM48384 CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
PM50426 CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub)
PM43037 ProxyPass broken due to ebcdic to ascii translation issue with interim response headers
PM43354 No error message for rotatelogs syntax errors
PM44635 IHS returns 500 instead of 401 for a revoked SAF userid
PM44816 Provide end-to-end timeouts for slow requests
PM45618 IHS threads can hang in ldap_bind() without any timeout
PM47429 IHS mod_ldap fails at runtime with 'SSL support failed initialization'
PM49573 IHS startup failure on Windows: 'master_main: create child process failed.'

Note: IBM HTTP Server 8.0.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.


Fix Pack 1 (8.0.0.1)
Fix release date: 26 September 2011
Last modified: 26 September 2011
Status: Superseded

Download Fix Pack 1

APAR Description
PM38826 CVE-2011-0419: apr_fnmatch() routine can result in high CPU with use of mod_autoindex
http://xforce.iss.net/xforce/xfdb/67414
PM46234 CVE-2011-3192: Potential Denial of Service with malicious range requests
http://xforce.iss.net/xforce/xfdb/69396
PM27886 Provide secure SSL renegotiation
PM37261 Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix
PM37405 mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired
PM38313 Piped loggers that continuously restart cause pipe and file descriptor leaks

Note: IBM HTTP Server 8.0.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.20.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM HTTP Server

Software version:

8.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #:

7021867

Modified date:

2014-07-23

Translate my page

Machine Translation

Content navigation