Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 6.1. The following is a complete listing of fixes for Version 6.1 with the most recent fix at the top.
Content
Back to all versions |
Note: There is no Fix Pack 1 or Fix Pack 4 delivered for IBM HTTP Server. Fix Pack 2 is the first maintenance Fix Pack delivered for IBM HTTP Server V6.1, then odd numbered Fix Packs going forward.
Fix release date: 09 September 2013 Last modified: 09 September 2013 Status: Recommended Download Fix Pack 47 |
APAR | Description |
PM80058 | CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360 |
PM85211 | CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 |
PM87808 | CVE-2013-1862: mod_rewrite vulnerability |
PM89996 | CVE-2013-1896: mod_dav vulnerability |
PM54387 | ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only) |
PM73304 | Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server |
PM78144 | IBM HTTP Server large logformats cannot be correctly logged by piped loggers |
PM83409 | Cookie values containing an '=' are incorrectly logged. |
Note: IBM HTTP Server 6.1.0.47 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.65.
Fix release date: 24 September 2012 Last modified: 24 September 2012 Status: Superseded |
APAR | Description |
PM58899 | CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup |
PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site |
PM62011 | mod_log_config: The wrong cookie can be logged |
PM66218 | Upgrade bundled GSKit security library |
Note: IBM HTTP Server 6.1.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
Fix release date: 19 March 2012 Last modified: 19 March 2012 Status: Superseded |
APAR | Description |
PM48384 | CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together. https://exchange.xforce.ibmcloud.com/vulnerabilities/70336 |
PM55760 | CVE-2012-0031: Possible parent process crash when untrusted code is run in child. |
PM56128 | CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site. |
PM52351 | SSLCLientAuth Required_reset is not enforced for SSLv2 connections https://exchange.xforce.ibmcloud.com/vulnerabilities/73749 |
Note: IBM HTTP Server 6.1.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
Fix release date: 07 Nov 2011 Last modified: 07 Nov 2011 Status: Superseded |
APAR | Description |
PM46234 | CVE-2011-3192: Potential Denial of Service with malicious range requests https://exchange.xforce.ibmcloud.com/vulnerabilities/69396 |
PM27886 | Upgrade bundled GSKit security library including secure SSL renegotiation |
PM44816 | Provide end-to-end timeouts for slow requests |
Note: IBM HTTP Server 6.1.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
Fix release date: 18 July 2011 Last modified: 18 July 2011 Status: Superseded |
APAR | Description |
PM38826 | apr_fnmatch() routine can result in high CPU with use of mod_autoindex |
PM31189 | URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes Onl |
PM32235 | IBM HTTP Server child process crash in mod_mem_cache |
PM35346 | IBM HTTP Server high CPU on large responses from WebSphere Application Server |
PM35469 | Network fragmentation occurs with SSL and mod_deflate |
Note: IBM HTTP Server 6.1.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
Fix release date: 04 April 2011 Last modified: 04 April 2011 Status: Superseded |
APAR | Description |
PM26003 | GSKit upgrade problems during IHS and Plug-in fixpack installation |
PM26041 | SSL forward proxy closes idle connections during graceful process exit |
Note: IBM HTTP Server 6.1.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
Fix release date: 17 December 2010 Last modified: 17 December 2010 Status: Superseded |
APAR | Description |
PM18904 | CVE-2010-1452: mod_dav vulnerability |
PM23263 | CVE-2010-1623: apr-util vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/62235 |
PM24234 | CVE-20009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem |
PM17269 | When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level |
PM20034 | IBM HTTP Server 6.1.0.31 fix pack does not upgrade GSKIT to 7.0.4.28 on AIX |
PM20672 | IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string |
PM20934 | "MaxClients reached" message can occur prematurely |
Note: IBM HTTP Server 6.1.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.
Fix release date: 13 September 2010 Last modified: 13 September 2010 Status: Superseded |
APAR | Description |
PM00138 | mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI |
PM07976 | apachectl start or stop can fail in some locales (z/OS only) |
PM09819 | IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment |
PM10270 | IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used |
PM11586 | mod_ibm_ssl: Solaris shared library path environment variable may be corrupted during graceful restart with SSL loaded |
Note: IBM HTTP Server 6.1.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 10 May 2010 Last modified: 10 May 2010 Status: Superseded |
APAR | Description |
PM08939 | CVE-2010-0434: mod_headers / CVE-2010-0408 |
PM09447 | CVE-2010-0425: mod_isapi vulnerability |
PM07113 | Update GSKit to 7.0.4.28 |
PK96500 | mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses |
PK97740 | IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period |
PK99128 | IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root |
PK96790 | mod_deflate input filter not removing Content-Encoding |
PK97344 | During IBM HTTP Server shutdown, child processes sometimes crash on Windows |
PM03058 | Implement optional lingering close |
PM03121 | mod_deflate doesn't compress internally redirected urls |
PM01714 | SAFRunAs directive on z/OS requires the IHS userid to be permitted Read access to the BPX.SERVER FACILITY class profile |
Note: IBM HTTP Server 6.1.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 18 January 2010 Last modified: 18 January 2010 Status: Superseded |
APAR | Description |
PK91361 | CVE-2009-1891: mod_deflate vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/51626 |
PK93225 | CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers |
PK96858 | CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/53041 |
PM00675 | CVE-2009-3555: TLS/SSL protocol MITM vulnerability More info |
PK87717 | mod_charset_lite translates inbound HTTP request bodies |
PK89004 | Piped logger processes left stranded at restart |
PK91197 | Startup crash on Windows when configured to use SSL and started as a service |
PK92520 | Request for a URI with a long file path can fail on z/OS |
PK93106 | Cannot configure IHS response to unknown revocation status via OCSP |
PK93112 | Disable SSLv3 protocol when SSLFIPSEnable is configured |
PK93510 | Piped errorlog loses initialization error message |
PK95329 | CGI variables not available to mod_ext_filter scripts for non-CGI/SSI requests |
PK96600 | Prevent runaway forking if the accept mutex is damaged |
Note: IBM HTTP Server 6.1.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 21 September 2009 Last modified: 21 September 2009 Status: Superseded |
APAR | Description |
PK88341 | CVE-2009-0023 : Underflow in apr_strmatch_precompile & CVE-2009-1956 : apr_brigade_vprintf off-by-one overflow vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50964 |
PK88342 | CVE-2009-1955 : apr_xml_* interface vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50994 |
PK79583 | mod_ldap retrys only once, without delay, when ldap_bind fails |
PK84656 | Slow memory leak in rotatelogs |
PK86338 | mod_mem_cache slow memory leak |
PK86513 | mod_ibm_ssl session ID cache daemon (SIDD) started twice in error at HTTP Server startup |
PK87590 | %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive |
Note: IBM HTTP Server 6.1.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 16 June 2009 Last modified: 16 June 2009 Status: Superseded |
APAR | Description |
PK77458 | Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server |
PK77969 | New log messages to explain the HTTP 403 error when PATH_MAX is exceeded |
PK78007 | When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged |
PK78073 | Can't configure mod_charset_lite to translate only mod_autoindex output |
PK78128 | Set-Cookie and Set-Cookie2 headers not preserved on 304 responses |
PK78333 | Translate 100-Continue responses to ASCII |
PK79915 | Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates |
PK81016 | mod_proxy_ftp cannot serve files with wildcards in their names |
PK84899 | Failure and crash in IHS Administration Server during stop operation |
Note: IBM HTTP Server 6.1.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 16 March 2009 Last modified: 16 March 2009 Status: Superseded |
APAR | Description |
PK72236 | mod_charset_lite suppresses some browser error messages |
PK74791 | SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake |
PK75671 | When an invalid Expect header is received, IBM HTTP Server does not respond until timeout value has occured |
PK75858 | The IBM HTTP Server parent process crashes while restarting piped logger if all file descriptors are exhausted |
PK76105 | The directive 'CoreDumpDirectory' used to specify the location for locating core dumps was ignored for parent process crashes |
PK76363 | Improve mod_mpmstats logging in IHS 6.X to display hanging modules in post_read_request hook |
Note: IBM HTTP Server 6.1.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 01 December 2008 Last modified: 01 December 2008 Status: Superseded |
APAR | Description |
PK70197 | CVE-2008-2939: mod_proxy_ftp unescaped wildcard |
PK68182 | postinst returns an error when conf files are not present during service pack install |
PK68392 | If a piped logger such as rotatelogs fails, a handle is leaked. On Windows, IBM HTTP Server is unable to restart the piped logger. |
PK68688 | mod_proxy_connect may timeout when it processes incoming SSL requests where the SSL record length is between 8 and 16 kilobytes. |
PK69212 | 'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer |
PK70028 | mod_cgid tokenizing ISINDEX queries incorrectly resulting in NULL command line arguments not being passed to CGI scripts |
Note: IBM HTTP Server 6.1.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 15 September 2008 Last modified: 15 September 2008 Status: Superseded |
APAR | Description |
PK61608 | HTTP client certificate revocation status performance enhancement |
PK64089 | Access log displays incorrect timezone offset |
PK64092 | SSL0409I is sometimes logged when an SSL client disconnects |
PK66154 | mod_cgid socket permissions problem & sidd socket permissions problem |
PK66755 | IBM HTTP Server mod_rewrite RewriteMap directive can result in high CPU usage when thousands of strings are passed as keys |
PK66924 | IBM HTTP Server does not correctly handle orphaned rotatelogs processes for the Windows operating system |
PK67579 | CVE-2008-2364 HTTP proxy potential denial of service when proxying to untrusted servers |
PK67658 | Recursive error document problem |
Note: IBM HTTP Server 6.1.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 3 June 2008 Last modified: 3 June 2008 Status: Superseded |
APAR | Description |
PK57549 | Upgrade GSKit to 7.0.4.14 |
PK58884 | IBM HTTP Server compression; AddOutputFilterByType directive did not apply to proxy requests |
PK59667 | CVE-2007-6388 mod_status cross-site scripting vulnerability |
PK61452 | Server Side Includes under mod_include are unreliable with output filters |
PK62242 | Incorrect error handling in IBM HTTP Server when SIDD is not found under server root |
Note: IBM HTTP Server 6.1.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.
Fix release date: 10 March 2008 Last modified: 10 March 2008 Status: Superseded |
APAR | Description |
PK58024 | CVE-2007-5000 mod_imap cross-site scripting vulnerability |
PK57952 | Input method not escaped in default 413 error response |
PK57680 | High CPU loop in mod_ibm_ssl when poll returns unexpected events |
PK58184 | rotatelogs ignores -l option when rotating files based on size |
PK52726 | Allow Certificate Revocation List support to be used on HP-UX |
Note: IBM HTTP Server 6.1.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.
Fix release date: 21 November 2007 Last modified: 21 November 2007 Status: Superseded |
APAR | Description |
PK48412 | IBM HTTP Server logs bad date when certificate has expired |
PK48505 | mod_deflate changed HTTP status to 500 for some errors |
PK49295 | CVE-2006-5752 mod_status cross-site scripting vulnerability |
PK49355 | CVE-2007-1863 mod_cache crash with malicious request |
PK50460 | mod_deflate does not work with vary headers |
PK50467 | CVE-2007-3304 MPM signalling vulnerability |
PK50469 | CVE-2007-3847 proxy buffer over-read vulnerability |
PK50274 | ikeyman could not create CMS key database when installed from 64-bit supplements CD |
Note: IBM HTTP Server 6.1.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.
Fix release date: 07 September 2007 Last modified: 07 September 2007 Status: Superseded |
APAR | Description |
PK48606 | mod_ibm_ssl fails to load at run-time on RHEL 5 |
PK45277 | Segmentation fault occurs when pidfile does not exist on Web server start |
PK44274 | ProxyErrorOverride should not affect redirects |
PK45296 | mod_ibm_ldap possible crash from uninitialized memory |
PK45328 | Single DES is no longer an approved FIPS-140 security function |
Fix release date: 15 June 2007 Last modified: 15 June 2007 Status: Superseded |
APAR | Description |
PK39018 | Restart SIDD if it exits or crashes unexpectedly |
PK38839 | Allow collection of coredumps and other serviceability data for SIGFPE crashes |
PK37731 | No client certificate prompt occurred with multiple SSL vhosts configured |
PK37809 | Empty response was sent for cached static files after revalidation timeout |
PK46546 | install_ihs command may not work for symbolic links |
Fix release date: 5 April 2007 Last modified: 5 April 2007 Status: Superseded |
Fix release date: 15 January 2007 Last modified: 15 January 2007 Status: Superseded |
APAR | Description |
PK31460 | Observed strange browser behavior when receiving an HTTP 302 response over SSL through the reverse proxy |
PK33959 | IBM HTTP Server service pack updates don't put correct reference values of customer's IBM HTTP Server install |
PK34180 | Fix incorrect 304 responses for expired cache objects |
Fix release date: 17 November 2006 Last modified: 17 November 2006 Status: Superseded |
APAR | Description |
PK28348 | There is a bug in the handling of cgid directives inside VirtualHosts when using ScriptSock directive |
PK28359 | Message "SSL0227E: SSL Handshake failed, specified label could not be found in the key file" occurs using n-cipher card |
PK29154 | CVE-2006-3747 mod_rewrite error |
PK30837 | MOD_IBM_LDAP problems when enabled in .htaccess files |
Fix release date: 18 September 2006 Last modified: 18 September 2006 Status: Superseded |
APAR | Description |
PK21998 | Provide directive for disabling individual SSL protocol |
PK22995 | Excessive child process creation during startup |
PK24631 | CVE-2006-3918 HTTP expect header value can be echoed to browser unescaped |
PK24686 | CGI on UNIX and Linux cannot see path to script in ARG0 |
PK25428 | 6.0.x IBM HTTP Server Administration server periodically segfaults with _read_nocancel in /lib/tls/libpthread.so.0 |
mod_cache: Fix inconsistent results from requests which are implemented as subrequests. | |
Allow diagnostic modules to track activity in log-transaction hook |
[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.47;6.1.0.45;6.1.0.43;6.1.0.41;6.1.0.39;6.1.0.37;6.1.0.35;6.1.0.33;6.1.0.31;6.1.0.3;6.1.0.29;6.1.0.27;6.1.0.25;6.1.0.23;6.1.0.21;6.1.0.2;6.1.0.19;6.1.0.17;6.1.0.15;6.1.0.13;6.1.0.11;6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
07 September 2022
UID
swg27008517