Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 9.0. The following is a listing of recent fix packs, with the most recent at the top.
Content
![]() |
Back to all versions |
![]() Fix release date: 18 June 2024 Last modified: 18 June 2024 Status: Recommended This fix pack is delivered for z/OS with APAR/PTF: PH61744/UI97237 |
Security APAR
|
APAR
|
Description
|
✓ | PH60619 | IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5) |
PH60185 | Improve management of gracefully exiting processes on event MPM | |
PH60306 | Avoid crash during graceful exit after thread creation errors | |
PH60402 | update libexpat for issues found in 2.6.0 | |
PH60645 | SSL handshake timeout logged generically as "SSL0212E: SSL Handshake Failed, Internal unknown error" | |
PH60777 | Add logging and timeouts related to communication between mod_ibm_ssl and sidd | |
PH60863 | mod_mpmstats: Potential crash on Windows at shutdown or MaxRequestsPerChild |
Notes:
- IBM HTTP Server 9.0.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
![]() Fix release date: 26 March 2024 Last modified: 26 March 2024 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH60335/UI96099. |
Security APAR
|
APAR
|
Description
|
✓ | PH59697 | IBM HTTP Server is vulnerable to information disclosure due to the included libexpat (CVE-2023-52425). |
PH57408 | Log consecutive failing accept() calls and give the option to gracefully exit (z/OS only). |
|
PH59012 | Fix possible crashes at the end of apachectl -t . |
|
PH59165 | Enable HEAPPOOLS64 on new instances by default. |
Notes:
- IBM HTTP Server 9.0.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
- IBM HTTP Server 9.0.5.19+IFPH60619 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
![]() Fix release date: 12 December 2023 Last modified: 12 December 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH58450/UI94663. |
Security APAR
|
APAR
|
Description
|
✓ | PH57715 |
IBM HTTP Server is vulnerable to information disclosure due to the included Apache HTTP Server (CVE-2023-31122) |
PH55900 | Upgrade LDAP SDK and add support for TLS13 | |
PH56093 | IHS child processes crash leaks 1 message queue | |
PH56097 | mod_mpmstats AlwaysReport directive overrides ReportInterval | |
PH56308 | Default ExtendedStatus to ON | |
PH56340 | Extended reporting of some startup errors | |
PH56383 | Connection not closed as expected after first response of HTTP request smuggling test |
Notes:
- IBM HTTP Server 9.0.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
![]() Fix release date: 19 September 2023 Last modified: 19 September 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH56831 / UI93529 (superseded by UI94040) |
Security APAR
|
APAR
|
Description
|
PH54894 | Add SSLOCSPCacheSize directive to enable and control the the OCSP cache size. |
|
PH55434 | Improve ICSF detection on zOS for new instances. | |
PH55613 | Tolerate missing files that are edited post installation, primarily for interim fix installations. |
Notes:
- IBM HTTP Server 9.0.5.17 with interim fix PH57715 (z/OS PTF UI94155) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
![]() Fix release date: 28 June 2023 Last modified: 28 June 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH55173 / UI92324. |
Security APAR
|
APAR
|
Description
|
✓ | PH52546 | IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342 CVSS 7.5) |
✓ | PH53014 |
IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690 CVSS 6.1)
|
PH44893 | Update GSKit to 8.0.55.31 for new RNG. | |
PH51678 | Add SSLSupportedCurves directive to allow customization of the curves offered during ECDHE key exchange. On z/OS, secp192r1 and secp224r1 are no longer enabled by default for ECDHE key exchange over TLSv1.2. |
|
PH52642 | Improve the error log message for invalid HTTP header name or value by identifying the first bad character. | |
PH52860 | Possible high CPU when at or near MaxClients . |
|
PH53848 | Add %{tzoff}t alternative to %{%z}t on Windows. |
|
PH54015 | Fix regression in PH53014 interim fixes for RewriteRule with trailing question mark. |
Notes:
- IBM HTTP Server 9.0.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.57.
![]() Fix release date: 04 April 2023 Last modified: 04 April 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH53479 / UI91167. |
Security APAR
|
APAR
|
Description
|
✓ | PH50316 | Update bundled expat for CVE-2022-43680, CVE-2017-9233, and CVE-2013-0340. |
✓ | PH51982 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25147, CVE-2022-28331, CVE-2022-37436, CVE-2006-20001). |
PH51473 | Remove RSA key exchange ciphers from defaults. | |
PH51709 | Add SSLMinimumRSAKeySize directive to reject client certificates with RSA key sizes smaller than the minimum specified. |
Notes:
- IBM HTTP Server 9.0.5.15 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
- The latest IHS Archive interim fix is packaged with PH48747 https://www.ibm.com/support/pages/node/6987541
![]() Fix release date: 22 November 2022 Last modified: 22 November 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH50710 / UI83294. |
Security APAR
|
APAR
|
Description
|
✓ | PH49572 | Update bundled expat for CVE-2022-40674. |
PH47518 | Report the average response time of active requests in the WAS plug-in along with WAS plug-in specific request states: TPCN, TPSB, TPWR, TPRB. | |
PH47941 | Providing a second certificate label to SSLServerCert doesn't work unless SNI is enabled. | |
PH48168 | mod_authnz_saf rejects password with a single slash. | |
PH48206 | Add the KeepAliveTimeoutSend408 directive to allow the server to respond with an HTTP 408 response instead of closing KeepAlive connections. | |
PH48807 | SSL_SERVER_* variables may not be accurate with SNI or multiple certificates per virtual host. | |
PH49311 | Upgrade GSKit to 8.0.55.29. |
Notes:
- IBM HTTP Server 9.0.5.14 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
IBM HTTP Server 9.0.5.13
|
|
![]() Fix release date: 30 August 2022 Last modified: 30 August 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH48724 / UI82026. |
Security APAR
|
APAR
|
Description
|
✓ | PH46897 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813, CVE-2022-28614). |
PH46094 | Add TrackeHooksOption notice to log slow requests at NOTICE level instead of INFO . |
|
PH47286 | When logging %h as used in the default log formats, respect changes made by mod_remoteip processing. |
|
PH47348 | Add KeepAliveTimeoutDelay to help avoid keepalive races. |
Notes:
- IBM HTTP Server 9.0.5.13 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
IBM HTTP Server 9.0.5.12
|
|
![]() Fix release date: 07 June 2022 Last modified: 07 June 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH46717 / UI80829. |
Security APAR
|
APAR
|
Description
|
✓ | PH44271 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236)
|
✓ | PH44829 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721)
|
PH43696 | With SSLFIPSEnable and SSLProxyEngine enabled, handshakes may fail with GSK_ERROR_UNSUPPORTED . |
|
PH43887 | IHS may crash in function ap_scan_http_field_content |
|
PH44114 | IHS may appear to hang if MaxRequestsPerChild is nonzero, because a replacement process will not be launched |
|
PH44330 | IBM HTTP Server has unnecessary APF authorization on binary files | |
PH44393 | IHS can crash in function ap_scan_http_field_content when processing special characters in URLs or headers |
Notes:
- IBM HTTP Server 9.0.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.53.
- IBM HTTP Server 9.0.5.12 with interim fix PH50316 (z/OS PTF UI80986 (prior APAR)) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.
Fix release date: 15 March 2022
Last modified: 15 March 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH44633 / UI7961. |
Security APAR
|
APAR
|
Description
|
✓
|
PH42862 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2021-44790 CVSS 9.8 and more)
|
✓
|
PH43122 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more)
|
PH41074 | logresolve.exe doesn't work on Windows |
|
PH41075 | Add option to terminate all child processes if the parent process crashes (z/OS only) | |
PH41413 | Recover from a stale pidfile (z/OS only) | |
PH41945 | Potential hang with nonzero MaxRequestsPerChild |
|
PH42030 | Potential crash in the sidDelete function |
|
PH42072 | Potential crash during LDAP authentication in set_parent_child_pointers |
|
PH44045 | Windows archive postinstall.bat fails to copy GSkit to plug-in directory on upgrade |
Notes:
- IBM HTTP Server 9.0.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
- IBM HTTP Server with interim fix PH44829 (z/OS PTF: UI79752) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.53.
- Installing 9.0.5.11 on top of 9.0.5.10 with recent recommended interim fixes may warn about several fixes (APARS) being uninstalled. Details available here: https://www.ibm.com/support/pages/node/6562241
![]() Fix release date: 03 December 2021 Last modified: 03 December 2021 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH42261 / UI7829. |
Security APAR
|
APAR
|
Description
|
✓
|
PH40343 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2021-40438, CVE-2021-34798, CVE-2021-39275)
https://www.ibm.com/support/pages/node/6493841 |
PH39660 | IHS may crash at startup in the sigaction() system call | |
PH39916 | Omit plug-in keystore from IHS SMPE installations | |
PH39992 | TLSv13 connections may fail with SSL0209E errors reported in the log on z/Linux | |
PH40554 | SMPJHOME serviceability update to error messages | |
PH40691 | Shrink window for mod_unique_id duplicates | |
PH40725 | Avoid possible crashes when graceful restarts are requested rapidly / during startup. | |
PH40832 | Upgrade GSKit to 8.0.55.25 | |
PH41432 | Windows IHS archive:s Fix plug-in path generated by postinst.bat |
Note:
- IBM HTTP Server 9.0.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
- IBM HTTP Server 9.0.5.10 with interim fix PH42862 (PTF UI78904) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
Fix release date: 10 September 2021 Last modified: 10 September 2021 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH40044 / UI7696. |
Security APAR
|
APAR
|
Description
|
PH38515 | ErrorDocuments that specify literal strings are not translated correctly (z/OS only). | |
PH38112 | Conditionally reduce severity of SSL0405E message for sockets that are already in lingering close. | |
PH37899 | If mod_backtrace is not loaded, dump a backtrace during whatkilledus report (Linux only). | |
PH36870 | Disable the TLS protocols TLSv10 and TLSv11 by default. Remove TLSv1.3 CCM ciphers from defaults. |
Note:
- IBM HTTP Server 9.0.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48.
- IBM HTTP Server 9.0.5.9 with interim fix PH42862 (PTF UI78904) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
Fix release date: 18 June 2021 Last modified: 18 June 2021 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH37767 / UI7584. |
Security APAR
|
APAR
|
Description
|
✓
|
PH35771 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641)
https://www.ibm.com/support/pages/node/6463587 |
PH35915 | Upgrade bundled GSKit security library to 8.0.55.21 | |
PH35107 | Possible crash with StrictHostCheck | |
PH36939 | z/OS module updates | |
PH34420 | Server fails to start when SSLCipherSpec 30 is set in httpd.conf | |
PH34246 | ErrorLogFormat may not be used by some startup messages | |
PH33679 | SSLCLientAuth doesn't work with 'noverify' and 'crl' together. |
Note: IBM HTTP Server 9.0.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48.
Fix release date: 26 March 2021 Last modified: 26 March 2021 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH35153 / UI7446. |
Security APAR
|
APAR
|
Description
|
PH29569 | Support 'CertificateUsername' without authentication | |
PH30270 | Allow SSL IOVEC merging to be disabled | |
PH30598 | Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange | |
PH30795 | Delays with large PKCS11 keystores (GSKit upgrade to 8.0.55.19) | |
PH30841 | Provide a flag to disable TLS close_notify alert on Apache socket close | |
PH30854 | Rewrite backreference escaping needs flexibility | |
PH31169 | Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH | |
PH31409 | Can't set SSLV3TIMEOUT with TLS13 | |
PH32229 | Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E |
Note: IBM HTTP Server 9.0.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.
Fix release date: 27 November 2020 Last modified: 27 November 2020 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH31572 / UI7261. |
Security APAR
|
APAR
|
Description
|
PH27406 | Software license swidtag files are not included in the IHS archive installs | |
PH27739 | SSL0401E during 'apachectl stop' | |
PH28073 | IBM HTTP Server on Windows crashes at startup with rare LoadModule value | |
PH28389 | install_ihs fails when ls alias is used | |
PH29026 | setupadmn fails if existing target user is not specified in /etc/passwd | |
PH30541 | 9.0 install_ihs/install_plug-in error with WAS 855 | |
PH30660 | Install Visual C++ Redistributable 2013 needed by IHS on Windows |
Note: IBM HTTP Server 9.0.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.
Fix release date: 04 September 2020 Last modified: 04 September 2020 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH28542 / UI7123. |
Security APAR
|
APAR
|
Description
|
PH24262 | postinst reports wrong port number | |
PH24265 | Allow mpmstats to write to zOS system log | |
PH24402 | Post Installer for IHS archive should fail if postinst fails | |
PH24557 | Default cipher specs used with SSLCipherSpec ALL -CIPHER_SPEC | |
PH26048 | Add additional information to AH01220 for CGI script timeout |
Note: IBM HTTP Server 9.0.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.
Fix release date: 12 June 2020 Last modified: 12 June 2020 Status: Superseded ![]() 9.0.5.4 is delivered for z/OS with APAR/PTF: PH25610 / UI6982. |
Security APAR
|
APAR
|
Description
|
✓
|
PH21992 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934) https://www.ibm.com/support/pages/node/6191631 |
PH20989 | Expose SAN fields in client certificates | |
PH21717 | Relax hostname validation in IBM HTTP Server | |
PH21804 | SSL0212E with TLS1.3 when SSLV3Timeout expires | |
PH22727 | Keepalive connections may be closed up to 100ms early | |
PH23344 | Error during script to apply a IHS PTF doesn't cause the PTF apply to fail | |
PH23397 | SSLClientAuthVerify OFF improvement for expired certificates | |
PH23551 | CGI error handling improvement | |
PH23596 | bin/rotatelogs not shipped with program control | |
PH23893 | Add 64-bit IHS for Windows to IIM | |
PH24493 | SSL0209E with IHS 9.0.5.2 and later (GSKit upgrade to 8.0.55.15) |
Note: IBM HTTP Server 9.0.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.43.
Fix release date: 20 March 2020 Last modified: 20 March 2020 Status: Superseded ![]() 9.0.5.3 is delivered for z/OS with APAR/PTF: PH23038 / UI6832. |
Security APAR
|
APAR
|
Description
|
PH19074 | Provide extended diagnostics for SSL0279E errors | |
PH20613 | SSL0232W with SSLFIPSEnable | |
PH20970 | Improve Request header modification flexibility |
Note: IBM HTTP Server 9.0.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.
Fix release date: 13 December 2019 Last modified: 13 December 2019 Status: Superseded ![]() 9.0.5.2 is delivered for z/OS with APAR/PTF: PH19272 / UI6665. |
Security APAR
|
APAR
|
Description
|
PH13105 | Upgrade bundled GSKit security library | |
PH17056 | Request for dataset with encoded characters returns 404 when using SAFRunAsEarly (z/OS only) |
|
PH17128 | Add TLS 1.3 support for IBM HTTP Server and the WebSphere Application Server WebServer plug-in | |
PH17652 | Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server | |
PH18102 | Improve multi-certificate support in IBM HTTP Server 9.0 |
Note: IBM HTTP Server 9.0.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.
Fix release date: 20 September 2019 Last modified: 20 September 2019 Status: Superseded ![]() 9.0.5.1 is delivered for z/OS with APAR/PTF: PH16280 / UI6533. |
Security APAR
|
APAR
|
Description
|
✓
|
PH14974 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098)
https://www.ibm.com/support/pages/node/964768 |
PH10089 | install-ihs -group should make more directories group writeable (z/OS only) | |
PH10103 | Enable RLimitCPU on z/OS. (z/OS only) | |
PH10382 | Enable TLSV1.2 under SSLFIPSEnable | |
PH12421 | AuthLDAPURL not allowing specification of RACFID unless user has RACF search permission (z/OS only) | |
PH13615 | IBM HTTP Server 9.0 should allow relative URL in redirects. |
Note: IBM HTTP Server 9.0.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.
Fix release date: 28 June 2019 Last modified: 28 June 2019 Status: Superseded ![]() 9.0.5.0 is delivered for z/OS with APAR/PTF: PH13435 / UI6383. |
Security APAR
|
APAR
|
Description
|
✓
|
PH09869 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220)
https://www-01.ibm.com/support/docview.wss?uid=ibm10880413 |
PH07089 | Suppress parsing of $-prefixed variables in SSI (embeds). (z/OS only) | |
PH07275 | Unable to change service description of an 'IBM HTTP Server' service on Windows | |
PH08035 | Improve IHS logs on z/OS to show installation details. (z/OS only) | |
PH09519 | Allow MVSDS to only use the last qualifier of a dataset name for mime extension checking. (z/OS only) | |
PH12690 | Add the mod_request module for z/OS. (z/OS only) |
Note: IBM HTTP Server 9.0.5.0 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.39.
Fix release date: 05 April 2019 Last modified: 05 April 2019 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH10037 / UI6211. |
Security APAR
|
APAR
|
Description
|
✓
|
PH06010 | Security vulnerability in the IBM HTTP Server (CVE-2018-17199) (Distributed only) http://www-01.ibm.com/support/docview.wss?uid=ibm10869064 |
PH02406 | Need simpler way to reject unknown hostnames | |
PH02448 | Improve mod_status output for event MPM | |
PH03059 | ABENDEC6 RC FF0F seen at server startup using rotatelogs (z/OS only) | |
PH03953 | 'Server reached MaxRequestWorkers' message is issued while idle threads are available | |
PH05560 | Using multiple environment variables in a directive doesn't work | |
PH05575 | Postinst logs unexpected message when failed to find an FQDN | |
PH05852 | Allow headers to be unset using regex |
Note: IBM HTTP Server 9.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.38.
Fix release date: 14 December 2018 Last modified: 14 December 2018 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH06005 / UI60127 |
Security APAR
|
APAR
|
Description
|
PH01222 | Timeout setting for OCSP on IBM HTTP Server | |
PH01302 | Accept SHA2 cert chains in LDAP connections |
Note: IBM HTTP Server 9.0.0.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.37.
Fix release date: 21 September 2018 Last modified: 21 September 2018 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PH02525 / UI5847. |
Security APAR
|
APAR
|
Description
|
PI95964 | Add mod_cgi directive to allow users to configure timeouts for CGI applications | |
PI96156 | SSL fails with multiple addresses in single VirtualHost | |
PI96321 | Update embedded LDAP SDK to 6.4.x | |
PI96949 | The file time stamp format of IHS 9.0 is different from IHS 8.5 | |
PI96955 | Allow mod_substitute for proxied responses | |
PI97314 | Add mod_backtrace for Windows | |
PI98116 | PDB files are not shipped for plug-in and odrlib in the Windows archive installer. |
|
PI98146 | Only create rewrite map lock if RewriteMaps are used. | |
PI98147 | Print unparsed URI in the 'URI incorrectly encoded' error message | |
PI98705 | HTML-encoded SSI variable double-encoded when moving to IHS 9.0 | |
PI99032 | SSL alerts not showing in log messages | |
PI99262 | Reduce memory used by persistent connections | |
PI99271 | AuthzProviderAlias ignoring all Require-Parameters except first one. | |
PI99394 | IBM HTTP Server startup messages not switching to Errorlog (z/OS only) | |
PI99567 | HTTPProtocolOptions improvements | |
PI99680 | rotatelogs description should include option -n | |
PI99685 | HTTPProtocolOptions=unsafe should allow a space in a header | |
PH00889 | LeaveWorkUnit errors with mod_wlm (z/OS only) |
Note: IBM HTTP Server 9.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.34.
Fix release date: 29 June 2018 Last modified: 29 June 2018 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI99702 / UI5692. |
Security APAR
|
APAR
|
Description
|
✓
|
PI94222 | Multiple vulnerabilities in GSKit bundled with IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22015347 |
✓
|
PI95670 | Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301) http://www-01.ibm.com/support/docview.wss?uid=swg22015344 |
PI91850 | MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only) | |
PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. | |
PI92017 | Include CGI program name when writing stderr to the error log when using mod_cgi | |
PI92053 | Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept(). | |
PI92092 | FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only) | |
PI92407 | Log startup message for low 64-bit MEMLIMIT | |
PI93212 | Throttle SSL0600E error messages | |
PI94050 | High CPU/Hang with IHS mod_auth_basic LDAP | |
PI94539 | mod_proxy_http does not allow headers larger than 8K bytes. | |
PI95610 | Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so. |
Note: IBM HTTP Server 9.0.0.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.33.
Fix release date: 16 March 2018 Last modified: 16 March 2018 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI94851 / UI5433. |
Security APAR
|
APAR
|
Description
|
✓
|
PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
PI90688 | gskcapicmd on Linux not working in IHS V9 | |
PI90811 | rotatelogs fails with relative paths in IBM HTTP Server V9 | |
PI91038 | When client and IHS don't support the same SSL/TLS version, IHS logged incorrect message in error log | |
PI91075 | Add environment variable to record "SSLVersion" failure | |
PI91351 | Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical | |
PI91720 | HTTPS download of IHS archive install from Fix Central results in uncompressed file with misleading name |
Note: IBM HTTP Server 9.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.29.
Fix release date: 21 December 2017 Last modified: 21 December 2017 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI91366 / UI5273. |
Security APAR
|
APAR
|
Description
|
✓
|
PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
✓
|
PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. | |
PI85561 | SSL Fallback Protection related errors with SSLProxyEngine ON | |
PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials | |
PI85804 | Improve password failure error messages in authnz_saf | |
PI87046 | Microsoft Windows large address support was not ported in IBM HTTP Server 9.0.0.4 | |
PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. | |
PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. | |
PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. | |
PI90141 | IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84 | |
PI90834 | abendoc4 in apr_pstrcat using saf-change-pw handler |
Note: IBM HTTP Server 9.0.0.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.29.
Fix release date: 17 October 2017 Last modified: 13 October 2017 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI87801 / UI50746. |
Security APAR
|
APAR
|
Description
|
✓
|
PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
✓
|
PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
✓
|
PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
PI80356 | Upgrade bundled GSKit security library (Distributed only) | |
PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names | |
PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) | |
PI82760 | Unable to launch ikeyman on the IBM HTTP Server side. | |
PI82834 | Add a simple PCT alternative for IBM HTTP Server with Liberty. | |
PI83167 | Support for binary-only install via IHS_SKIP_POSTINST environment variable. | |
PI83257 | Reduce memory usage from long mod_rewrite configurations. | |
PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) |
Note: IBM HTTP Server 9.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.27.
Fix release date: 13 June 2017 Last modified: 13 June 2017 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI82358 / UI47689. |
Security APAR
|
APAR
|
Description
|
PI73043 | Upgrade bundled GSKit security library (Distributed only) | |
PI74780 | Allow IBM HTTP Server 9.0 on AIX 6.1 | |
PI75835 | ABEND0C4 in IBM HTTP Server 9.0 using -v option with rotatelogs (z/OS only) | |
PI76757 | Allow SSL handshake transcripts to be enabled or disabled | |
PI76874 | Further enhancements to PI50937 high cpu avoidance | |
PI76918 | 'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only) | |
PI77337 | IHS LDAP connection with SSL not working | |
PI77697 | IBM HTTP Server 9.0 install not creating service correctly on Microsoft Windows | |
PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error. | |
PI78696 | SSL handshake failure between IHS/Proxy to backend IHS/Plug-in | |
PI78716 | File is not translated using MVSDS if content-encoding is used with IBM HTTP Server 9.0 (z/OS only) | |
PI78967 | Allow CEEDUMPS to be requested with kill -USR2 (z/OS only) | |
PI80106 | 500 Internal error with 'AH01328: Line too long' (z/OS only) |
|
PI80187 | Redirect functionality not working as expected for MVSDS requests (z/OS only) | |
PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) |
Note: IBM HTTP Server 9.0.0.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.25.
Fix release date: 14 March 2017 Last modified: 14 March 2017 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI77285 / UI45080. |
Security APAR
|
APAR
|
Description
|
✓
|
PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21996847 |
PI70372 | mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'. | |
PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. | |
PI70825 | Simplify mod_ibm_ssl trace enabling in IBM HTTP Server 9.0 | |
PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes | |
PI71340 | Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8. | |
PI72989 | Hangs related to mod_backtrace and mod_whatkilledus during a crash. | |
PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf. | |
PI73165 | High cpu encountered when directive EnableSendfile is set to On | |
PI73661 | Session ID Daemon (sidd) memory leak | |
PI73819 | Allow an extended syntax for the SSLCipherSpec directive on z/OS | |
PI73951 | mod_zos_cmds incorrectly reports the number of lingering close connections as zero. | |
PI74200 | Connection resets under heavy load when connecting to IHS on z/OS. |
Note: IBM HTTP Server 9.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.25.
Fix release date: 13 December 2016 Last modified: 13 December 2016 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI72454 / UI42701. |
Security APAR
|
APAR
|
Description
|
✓
|
PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
PI66468 | bin\ikeyman.bat and bin\gskcmd.bat don't work when IHS install path contains spaces | |
PI66787 | Session cache daemon (sidd) memory leak | |
PI66931 | Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance. | |
PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) | |
PI68001 | Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only) | |
PI68803 | IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only) | |
PI69081 | gskver, ikeyman, gskcapicmd, and gskcmd scripts do not work in IBM HTTP Server 9.0.0.1 | |
PI69182 | IBM HTTP Server 9.0 SSL cipher defaults may be displayed incorrectly on z/OS (z/OS only) | |
PI69979 | Accept non strictly-conforming X509 certificates in IBM HTTP Server 9.0 | |
PI70022 | Allow IBM HTTP Server on Linux to automatically raise ulimit -n to accomodate larger ThreadsPerChild |
Note: IBM HTTP Server 9.0.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.23.
Fix release date: 16 September 2016 Last modified: 16 September 2016 Status: Superseded ![]() This fix pack is delivered for z/OS with APAR/PTF: PI68703 / UI40714. |
Security APAR
|
APAR
|
Description
|
✓
|
PI63098 | CVE-2016-0718 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
✓
|
PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
PI60251 | mod_mvsds writes content as binary instead of text/plain (z/OS only) | |
PI60784 | IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled | |
PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) | |
PI63482 | Add a private header with password change information for 401 response. | |
PI63682 | IHS mod_status displays many 'NULL' strings in request column | |
PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) | |
PI64628 | IBM HTTP Server on Z/OS is deleting the wrong message queue (z/OS only) | |
PI66153 | XML datasets with no XML extension cause error under mod_mvsds (z/OS only) | |
PI66183 | When MFA is configured, SAFRunAs fails with a permission error (z/OS only) |
Note: IBM HTTP Server 9.0.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.23.
Fix release date: 24 June 2016 Last modified: 24 June 2016 Status: Superseded ![]() This release was delivered for z/OS as an IM (Installation Manager) installed version only. For SMPE install, these contents were not available until 9.0.0.1. |
Security APAR
|
APAR
|
Description
|
PI53754 | Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created (z/OS only) | |
PI56034 | No equivalent functionality for DGW AlwaysWelcome directive in IHS on z/OS (z/OS only) | |
PI56576 | Incorrect image path in .css file causes image to not display | |
PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) | |
PI57596 | CRIHS0001I may contain garbage information or not pick up HTTPS port (z/OS only) | |
PI58218 | IBM HTTP Server mod_cache fixes | |
PI59561 | Add pre/post password hooks to mod_authnz_saf | |
PI60207 | Upgrade bundled GSKit security library to 8.0.50.61 |
Note: IBM HTTP Server 9.0.0.0 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.20.
Fix release date: 02 March 2016 Last modified: 02 March 2016 Status: Superseded This release was not delivered for distributed platforms or with WebSphere Application Server. It was delivered for z/OS only via APAR/PTF: PI56777 / UI35362. |
Security APAR
|
APAR
|
Description
|
PI48857 | Some headers are removed when caching is enabled | |
PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) | |
PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) | |
PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries | |
PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching (z/OS only) | |
PI52301 | Reduce reads to /dev/random causing CSFSERV CSFRNG access (z/OS only) | |
PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only) |
Was this topic helpful?
Document Information
Modified date:
17 June 2024
UID
swg27048481