Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 7.0. The following is a complete listing of fixes for Version 7.0 with the most recent fix at the top.
Content
Back to all versions |
Note: There is no Fix Pack 1 delivered for IBM HTTP Server. Fix Pack 3 is the first maintenance Fix Pack delivered for IBM HTTP Server V7.0, then odd numbered Fix Packs going forward.
Fix release date: 30 April 2018 Last modified: 30 April 2018 Status: Recommended Download Fix Pack 45 |
APAR | Description |
PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
PI91913 | CVE-2018-1388 for IBM HTTP Server (ROBOT for GSKit). http://www-01.ibm.com/support/docview.wss?uid=swg22014196 |
PI75341 | /server-status doesn't display client IP until first request is read |
PI76757 | Allow SSL handshake transcripts to be enabled or disabled |
PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error. |
PI78767 | HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier. |
PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) |
PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names |
PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) |
PI83257 | Reduce memory usage from long mod_rewrite configurations. |
PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) |
PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. |
PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials (z/OS only) |
PI85804 | Improve password failure error messages in authnz_saf (z/OS only) |
PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. |
PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. (z/OS only) |
PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. |
PI89257 | Error opening new SSL keystores with IHS 7.0 |
PI91075 | Add environment variable to record "SSLVersion" failure |
PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. |
PI93619 | Upgrade bundled GSKit security library (GSKit upgrade to 7.0.5.15) |
Note: IBM HTTP Server 7.0.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Fix release date: 24 April 2017 Last modified: 24 April 2017 Status: Superseded Download Fix Pack 43 |
APAR | Description |
PI63098 | CVE-2016-0718 for IBM HTTP Server (Distributed only) http://www-01.ibm.com/support/docview.wss?&uid=swg21988026 |
PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21996847 |
PI56034 | No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS. |
PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) |
PI58218 | IBM HTTP Server mod_cache fixes. |
PI59561 | Add pre/post password hooks to mod_authnz_saf. (z/OS only) |
PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) |
PI63482 | Add a private header with password change information for 401 response. |
PI63682 | IHS mod_status displays many 'NULL' strings in request column. |
PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) |
PI66695 | mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed' |
PI66787 | Session cache daemon (sidd) memory leak |
PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) |
PI70024 | Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging |
PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. |
PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes |
PI72027 | IHS rewrite rule on IPV6 does not redirect correctly. |
PI72350 | Potential crash in mod_mem_cache in IHS 8.5 and earlier. |
PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf |
Note: IBM HTTP Server 7.0.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32.
Fix release date: 11 April 2016 Last modified: 11 April 2016 Status: Superseded Download Fix Pack 41 |
APAR | Description |
PI45005 | Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid |
PI46616 | Allow RewriteRule to use colon (':') in header names and values |
PI46868 | REXX CGI'S may display as text in the browser |
PI47198 | IHS caching partial response for chunked responses |
PI47445 | IHS V7.0 and V8.0 fail to start when using CharsetOptions NoImplicitAdd. (z/OS only) |
PI47642 | Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel |
PI47828 | IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only) |
PI48695 | DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only) |
PI49165 | Add new request time logging formats |
PI49473 | IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin |
PI49718 | Improve error_log reporting for 'SSLProxyEngine' handshake errors |
PI49791 | Add the IfFile directive to allow processing directives based on file existance |
PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) |
PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) |
PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries |
PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching |
PI52299 | TLS_FALLBACK_SCSV support for IBM HTTP Server |
PI54415 | Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error |
PI54757 | Delay allocating an IHS thread until data is available on a new inbound TCP connection. |
PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded |
Note: IBM HTTP Server 7.0.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 02 November 2015 Last modified: 02 November 2015 Status: Superseded Download Fix Pack 39 |
APAR | Description |
PI34229 | Disable RC4-based TLS ciphers by default in IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21701072 |
PI36417 | CVE-2015-0138 for IBM HTTP Server (GSKit upgrade to 7.0.5.5) http://www-01.ibm.com/support/docview.wss?uid=swg21698959 |
PI39833 | CVE-2015-1829 for IBM HTTP Server on Windows http://www-01.ibm.com/support/docview.wss?uid=swg21959081 |
PI42928 | CVE-2015-3183: Incorrect parsing of chunked headers http://www-01.ibm.com/support/docview.wss?uid=swg21963361 |
PI44793 | CVE-2015-4947 in IBM HTTP Server Administration Server http://www-01.ibm.com/support/docview.wss?uid=swg21965419 |
PI45596 | CVE-2015-1283 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21964428 |
PI33527 | SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF' |
PI34017 | HTTP error 413 on static files results in a duplicate error message. |
PI35073 | IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in. |
PI35219 | ABEND0C1 when running install_ihs |
PI38322 | Allow mod_cache to ignore an 'Authorization' HTTP request header. |
PI38562 | CGI resources are briefly unavailable just after a restart |
PI38828 | Enable unified config dump |
PI38835 | IBM HTTP Server cannot log time-to-first-byte (TTFB) |
PI40952 | Preserve quoting in SSLServerCert directive |
PI45740 | Encoding error on RewriteRule |
Note: IBM HTTP Server 7.0.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 13 March 2015 Last modified: 13 March 2015 Status: Superseded Download Fix Pack 37 |
APAR | Description |
PI31516 | CVE-2014-8730: Enable strict CBC padding checks on TLS connections http://www-01.ibm.com/support/docview.wss?&uid=swg21697369 |
PI27904 | IBM HTTP Server should disable weak SSL protocols and ciphers by default |
PI23005 | Allow logging of time taken during SSL handshake |
PI24257 | 'Header edit* ...' directive not accepted by IBM HTTP Server |
PI25783 | Fatal getpwuid() error at IBM HTTP Server startup (z/OS only) |
PI26507 | mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only) |
PI28735 | ErrorDocument redirection for status code 414 (Request URI too long) does not work |
PI30093 | Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server global configuration |
PI31566 | Allow IBM HTTP Server RLimit* directives to reduce hard limits |
Note: IBM HTTP Server 7.0.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
Fix release date: 13 October 2014 Last modified: 13 October 2014 Status: Superseded Download Fix Pack 35 |
APAR | Description |
PI22070 | Multiple Apache web server vulnerabilities: CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core) http://www-01.ibm.com/support/docview.wss?&uid=swg21684612 |
PI17434 | SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only) |
PI19581 | IBM HTTP Server modules specified without a path don't load |
Note: IBM HTTP Server 7.0.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
Fix release date: 23 June 2014 Last modified: 23 June 2014 Status: Superseded Download Fix Pack 33 |
APAR | Description |
PI05309 | CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
PI09345 | CVE-2013-6438: Potential Denial of Sevice in mod_dav for IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
PI09443 | CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
PI13028 | CVE-2014-0098: mod_log_config - Potential denial of service vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
PI17025 | CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
PM97650 | IBM HTTP Server does not send SIGTERM to fastCGI application |
PI06366 | IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6 |
PI08502 | Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade). |
PI08715 | Potential mod_proxy crashes under load |
PI15344 | IBM HTTP Server caching issues |
PI16599 | Authentication failure gives LDAP error for non-LDAP configurations |
Note: IBM HTTP Server 7.0.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.
Fix release date: 13 January 2014 Last modified: 13 January 2014 Status: Superseded Download Fix Pack 31 |
APAR | Description |
PM87808 | CVE-2013-1862: mod_rewrite vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21661323 |
PM89996 | CVE-2013-1896: mod_dav vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21661323 |
PM84215 | mod_mpmstats may report incorrect values during startup or shutdown |
PM89422 | IHS WebDAV requests slow on Windows. |
PM94008 | Timed-out ldap bind and search failures on reused connections are not retried |
PM94143 | Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only) |
PM94602 | ProxyRemote fails to work with SSL requests |
PM96039 | The AcceptEx disablement notice should not appear in Windows Event Viewer |
Note: IBM HTTP Server 7.0.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.
Fix release date: 24 June 2013 Last modified: 24 June 2013 Status: Superseded Download Fix Pack 29 |
APAR | Description |
PM76110 | CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down |
PM80058 | CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360 |
PM85211 | CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 |
PM75876 | The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules. |
PM77980 | IBM HTTP Server should not add the Server: header by default |
PM78087 | IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI} |
PM78144 | IBM HTTP Server large logformats cannot be correctly logged by piped loggers |
PM79015 | mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed' |
Note: IBM HTTP Server 7.0.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
Fix release date: 21 January 2013 Last modified: 21 January 2013 Status: Superseded Download Fix Pack 27 |
APAR | Description |
PM70591 | IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.' |
PM70994 | SSLFakeBasicAuth depends on LoadModule order |
PM71102 | <Location> settings don't affect some mod_negotiation generated content |
PM73304 | Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server |
Note: IBM HTTP Server 7.0.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
Fix release date: 24 September 2012 Last modified: 24 September 2012 Status: Superseded Download Fix Pack 25 |
APAR | Description |
PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site. |
PM62011 | mod_log_config: The wrong cookie can be logged |
PM66218 | Upgrade bundled GSKit security library |
Note: IBM HTTP Server 7.0.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
Fix release date: 28 May 2012 Last modified: 28 May 2012 Status: Superseded Download Fix Pack 23 |
APAR | Description |
PM52351 | CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections. https://exchange.xforce.ibmcloud.com/vulnerabilities/73749 |
PM55760 | CVE-2012-0031: Possible parent process crash when untrusted code is run in child. https://exchange.xforce.ibmcloud.com/vulnerabilities/72377 |
PM56128 | CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site. https://exchange.xforce.ibmcloud.com/vulnerabilities/72758 |
PM58899 | CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup https://exchange.xforce.ibmcloud.com/vulnerabilities/74901 |
PM53340 | Incorrect request body handling with Expect: 100-continue. |
PM54289 | install_ihs script results in errors in the postinstall process. (z/OS only) |
PM54387 | ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only) |
PM56585 | mod_authnz_ldap can generate many unnecessary ldap queries while processing 'Require group' |
PM57197 | Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules. |
PM58545 | mod_perl build cannot find "OPT_INCNOEXEC" in IHS 7.0 |
Note: IBM HTTP Server 7.0.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.
Fix release date: 16 January 2012 Last modified: 16 January 2012 Status: Superseded Download Fix Pack 21 |
APAR | Description |
PM46234 | CVE-2011-3192: Potential Denial of Service with malicious range requests https://exchange.xforce.ibmcloud.com/vulnerabilities/69396 |
PM47852 | CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. |
PM48384 | CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together. |
PM50426 | CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub) |
PM43037 | ProxyPass broken due to ebcdic to ascii translation issue with interim response headers |
PM43354 | No error message for rotatelogs syntax errors |
PM44635 | IHS returns 500 instead of 401 for a revoked SAF userid |
PM44816 | Provide end-to-end timeouts for slow requests |
PM45618 | IHS threads can hang in ldap_bind() without any timeout |
PM47429 | IHS mod_ldap fails at runtime with 'SSL support failed initialization' |
PM49573 | IHS startup failure on Windows: 'master_main: create child process failed.' |
Note: IBM HTTP Server 7.0.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.
Fix release date: 12 September 2011 Last modified: 12 September 2011 Status: Superseded Download Fix Pack 19 |
APAR | Description |
PM38826 | CVE-2011-0419 apr_fnmatch() routine can result in high CPU with use of mod_autoindex https://exchange.xforce.ibmcloud.com/vulnerabilities/67414 |
PM27886 | Upgrade bundled GSKit security library including secure SSL renegotiation |
PM31189 | URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes On |
PM35469 | Network fragmentation occurs with SSL and mod_deflate |
PM37261 | Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix |
PM37405 | mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired |
PM38313 | Piped loggers that continuously restart cause pipe and file descriptor leaks |
Note: IBM HTTP Server 7.0.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.19.
Fix release date: 16 May 2011 Last modified: 16 May 2011 Status: Superseded Download Fix Pack 17 |
APAR | Description |
PM26041 | SSL forward proxy closes idle connections during graceful process exit |
PM31763 | 'Header edit' deletes multiple headers |
Note: IBM HTTP Server 7.0.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.
Fix release date: 28 February 2011 Last modified: 28 February 2011 Status: Superseded Download Fix Pack 15 |
APAR | Description |
PM23263 | CVE-2010-1623: apr-util vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/62235 |
PM24234 | CVE-2009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem https://exchange.xforce.ibmcloud.com/vulnerabilities/54598 https://exchange.xforce.ibmcloud.com/vulnerabilities/52686 |
PM20672 | IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string |
PM20934 | "MaxClients reached" message can occur prematurely |
Note: IBM HTTP Server 7.0.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.
Fix release date: 25 October 2010 Last modified: 25 October 2010 Status: Superseded Download Fix Pack 13 |
APAR | Description |
PM16366 | CVE-2010-2068: mod_proxy_http vulnerability for Windows platform |
PM18904 | CVE-2010-1452: mod_dav vulnerability |
PM00138 | mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI |
PM14028 | mod_deflate: Invalid Etag emitted |
PM15623 | mod_ldap and mod_authnz_ldap: Nested group failures |
PM17269 | When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level |
Note: IBM HTTP Server 7.0.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.16.
Fix release date: 18 June 2010 Last modified: 18 June 2010 Status: Superseded Download Fix Pack 11 |
APAR | Description |
PM08939 | CVE-2010-0434: mod_headers / CVE-2010-0408 |
PM07113 | Update GSKit to 7.0.4.28 |
PM04628 | gsk7cmd/gsk7capicmd parsing error on '-dn' <dist name> for organization unit (O=) with a space in the name |
PM07976 | apachectl start or stop can fail in some locales (z/OS only) |
PM09819 | IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment |
PM10270 | IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used |
Note: IBM HTTP Server 7.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.15.
Fix release date: 29 March 2010 Last modified: 29 March 2010 Status: Superseded Download Fix Pack 9 |
APAR | Description |
PK96858 | CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/53041 |
PM00675 | CVE-2009-3555: TLS/SSL protocol MITM vulnerability More info |
PK92520 | Request for a URI with a long file path can fail on z/OS |
PK96600 | Prevent runaway forking if the accept mutex is damaged |
PK94007 | mod_mem_cache: segmentation fault |
PK95497 | IBM HTTP Server may fail to ignore some cache related headers even when CacheIgnoreHeaders is configured |
PK96410 | Intermittent error reading status line with http proxy |
PK96500 | mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses |
PK97740 | IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period |
PK98225 | Cache responses with s-maxage set |
PK99128 | IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root |
PM00101 | GSKit crash on Microsoft Windows 32bit or AIX operating systems plus purify |
PM00136 | "apachectl stop" fails if the z/OS resolver is down |
Note: IBM HTTP Server 7.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.14.
Fix release date: 13 November 2009 Last modified: 13 November 2009 Status: Superseded Download Fix Pack 7 |
APAR | Description |
PK88341 | CVE-2009-0023: Underflow in apr_strmatch_precompile & CVE-2009-1956: apr_brigade_vprintf off-by-one overflow vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50964 |
PK88342 | CVE-2009-1955: apr_xml_* interface vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50994 |
PK91259 | CVE-2009-1890: mod_proxy_http vulnerability |
PK91361 | CVE-2009-1891: mod_deflate vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/51626 |
PK93225 | CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers |
PK87590 | %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive |
PK87717 | mod_charset_lite translates inbound HTTP request bodies |
PK90571 | When HTTP Server is configured to use SSL reverse proxy, segmentation faults may occur |
PK93106 | Cannot configure IHS response to unknown revocation status via OCSP |
PK93112 | Disable SSLv3 protocol when SSLFIPSEnable is configured |
PK93510 | Piped errorlog loses initialization error message |
Note: IBM HTTP Server 7.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.13.
Fix release date: 27 July 2009 Last modified: 27 July 2009 Status: Superseded Download Fix Pack 5 |
APAR | Description |
PK86232 | CVE-2009-1195: 'AllowOverride Options=IncludesNOEXEC' allows override of includes with exec https://exchange.xforce.ibmcloud.com/vulnerabilities/50808 |
PK77458 | Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server |
PK78007 | When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged |
PK78073 | Can't configure mod_charset_lite to translate only mod_autoindex output |
PK78299 | Allow startup of IBM Administration Server by a non-root userid |
PK78333 | Translate 100-Continue responses to ASCII |
PK79583 | LDAP retry logic insufficient on transient LDAP errors |
PK79915 | Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates |
PK81016 | mod_proxy_ftp cannot serve files with wildcards in their names |
PK81733 | mod_authnz_ldap can't pass filter simple enough to support SDBM-backed LDAP (RACF over LDAP) |
PK83734 | Can't create CMS keyfile with IHS 7.0 from 64-bit Supplemental media on z/Linux |
PK84899 | Failure and crash in IHS Administration Server during stop operation |
Note: IBM HTTP Server 7.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.
Fix release date: 27 March 2009 Last modified: 27 March 2009 Status: Superseded Download Fix Pack 3 |
APAR | Description |
PK72236 | mod_charset_lite suppresses some browser error messages |
PK74791 | SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake |
Note: IBM HTTP Server 7.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.
[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.45;7.0.0.43;7.0.0.41;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.3;7.0.0.29;7.0.0.27;7.0.0.25;7.0.0.23;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.45;7.0.0.43;7.0.0.41;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.3;7.0.0.29;7.0.0.27;7.0.0.25;7.0.0.23;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
07 September 2022
UID
swg27014506