IBM Support

Fix list for IBM HTTP Server V6.1

Product Documentation


Abstract

IBM HTTP Server provides periodic fixes for release 6.1. The following is a complete listing of fixes for Version 6.1 with the most recent fix at the top.

Content

Back to all versions

Fix Pack 47 (6.1.0.47)

Fix Pack 45 (6.1.0.45)

Fix Pack 43 (6.1.0.43)

Fix Pack 41 (6.1.0.41)

Fix Pack 39 (6.1.0.39)

Fix Pack 37 (6.1.0.37)

Fix Pack 35 (6.1.0.35)

Fix Pack 33 (6.1.0.33)

Fix Pack 31 (6.1.0.31)

Fix Pack 29 (6.1.0.29)

Fix Pack 27 (6.1.0.27)

Fix Pack 25 (6.1.0.25)

Fix Pack 23 (6.1.0.23)

Fix Pack 21 (6.1.0.21)

Fix Pack 19 (6.1.0.19)

Fix Pack 17 (6.1.0.17)

Fix Pack 15 (6.1.0.15)

Fix Pack 13 (6.1.0.13)

Fix Pack 11 (6.1.0.11)

Fix Pack 9 (6.1.0.9)

Fix Pack 7 (6.1.0.7)

Fix Pack 5 (6.1.0.5)

Fix Pack 3 (6.1.0.3)

Fix Pack 2 (6.1.0.2)



Note: There is no Fix Pack 1 or Fix Pack 4 delivered for IBM HTTP Server. Fix Pack 2 is the first maintenance Fix Pack delivered for IBM HTTP Server V6.1, then odd numbered Fix Packs going forward.



Fix release date: 09 September 2013
Last modified: 09 September 2013
Status: Recommended

Download Fix Pack 47

APARDescription
PM80058CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules
https://exchange.xforce.ibmcloud.com/vulnerabilities/82359
https://exchange.xforce.ibmcloud.com/vulnerabilities/82360
PM85211CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library)
https://exchange.xforce.ibmcloud.com/vulnerabilities/81902
PM87808CVE-2013-1862: mod_rewrite vulnerability
PM89996CVE-2013-1896: mod_dav vulnerability
PM54387ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only)
PM73304Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server
PM78144IBM HTTP Server large logformats cannot be correctly logged by piped loggers
PM83409Cookie values containing an '=' are incorrectly logged.

Note: IBM HTTP Server 6.1.0.47 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.65.



Fix release date: 24 September 2012
Last modified: 24 September 2012
Status: Superseded

APARDescription
PM58899CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup
PM66470CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site
PM62011mod_log_config: The wrong cookie can be logged
PM66218Upgrade bundled GSKit security library

Note: IBM HTTP Server 6.1.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix release date: 19 March 2012
Last modified: 19 March 2012
Status: Superseded

APARDescription
PM48384CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
https://exchange.xforce.ibmcloud.com/vulnerabilities/70336
PM55760CVE-2012-0031: Possible parent process crash when untrusted code is run in child.
PM56128CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site.
PM52351SSLCLientAuth Required_reset is not enforced for SSLv2 connections
https://exchange.xforce.ibmcloud.com/vulnerabilities/73749

Note: IBM HTTP Server 6.1.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix release date: 07 Nov 2011
Last modified: 07 Nov 2011
Status: Superseded

APARDescription
PM46234CVE-2011-3192: Potential Denial of Service with malicious range requests​​
https://exchange.xforce.ibmcloud.com/vulnerabilities/69396​​
PM27886Upgrade bundled GSKit security library including secure SSL renegotiation
PM44816Provide end-to-end timeouts for slow requests

Note: IBM HTTP Server 6.1.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix release date: 18 July 2011
Last modified: 18 July 2011
Status: Superseded

APARDescription
PM38826apr_fnmatch() routine can result in high CPU with use of mod_autoindex
PM31189URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes Onl
PM32235IBM HTTP Server child process crash in mod_mem_cache
PM35346IBM HTTP Server high CPU on large responses from WebSphere Application Server
PM35469Network fragmentation occurs with SSL and mod_deflate

Note: IBM HTTP Server 6.1.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix release date: 04 April 2011
Last modified: 04 April 2011
Status: Superseded

APARDescription
PM26003GSKit upgrade problems during IHS and Plug-in fixpack installation
PM26041SSL forward proxy closes idle connections during graceful process exit

Note: IBM HTTP Server 6.1.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix release date: 17 December 2010
Last modified: 17 December 2010
Status: Superseded

APARDescription
PM18904CVE-2010-1452: mod_dav vulnerability
PM23263CVE-2010-1623: apr-util vulnerabilities
https://exchange.xforce.ibmcloud.com/vulnerabilities/62235
PM24234CVE-20009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem
PM17269When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level
PM20034IBM HTTP Server 6.1.0.31 fix pack does not upgrade GSKIT to 7.0.4.28 on AIX
PM20672IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string
PM20934"MaxClients reached" message can occur prematurely

Note: IBM HTTP Server 6.1.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.64.



Fix release date: 13 September 2010
Last modified: 13 September 2010
Status: Superseded

APARDescription
PM00138mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI
PM07976apachectl start or stop can fail in some locales (z/OS only)
PM09819IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment
PM10270IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used
PM11586mod_ibm_ssl: Solaris shared library path environment variable may be corrupted during graceful restart with SSL loaded

Note: IBM HTTP Server 6.1.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 10 May 2010
Last modified: 10 May 2010
Status: Superseded

APARDescription
PM08939CVE-2010-0434: mod_headers / CVE-2010-0408
PM09447CVE-2010-0425: mod_isapi vulnerability
PM07113Update GSKit to 7.0.4.28
PK96500mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses
PK97740IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period
PK99128IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root
PK96790mod_deflate input filter not removing Content-Encoding
PK97344During IBM HTTP Server shutdown, child processes sometimes crash on Windows
PM03058Implement optional lingering close
PM03121mod_deflate doesn't compress internally redirected urls
PM01714SAFRunAs directive on z/OS requires the IHS userid to be permitted Read access to the BPX.SERVER FACILITY class profile

Note: IBM HTTP Server 6.1.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 18 January 2010
Last modified: 18 January 2010
Status: Superseded

APARDescription
PK91361CVE-2009-1891: mod_deflate vulnerability
https://exchange.xforce.ibmcloud.com/vulnerabilities/51626
PK93225CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers
PK96858CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities
https://exchange.xforce.ibmcloud.com/vulnerabilities/53041
PM00675CVE-2009-3555: TLS/SSL protocol MITM vulnerability
More info
PK87717mod_charset_lite translates inbound HTTP request bodies
PK89004Piped logger processes left stranded at restart
PK91197Startup crash on Windows when configured to use SSL and started as a service
PK92520Request for a URI with a long file path can fail on z/OS
PK93106Cannot configure IHS response to unknown revocation status via OCSP
PK93112Disable SSLv3 protocol when SSLFIPSEnable is configured
PK93510Piped errorlog loses initialization error message
PK95329CGI variables not available to mod_ext_filter scripts for non-CGI/SSI requests
PK96600Prevent runaway forking if the accept mutex is damaged

Note: IBM HTTP Server 6.1.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 21 September 2009
Last modified: 21 September 2009
Status: Superseded

APARDescription
PK88341CVE-2009-0023 : Underflow in apr_strmatch_precompile &
CVE-2009-1956 : apr_brigade_vprintf off-by-one overflow vulnerability
https://exchange.xforce.ibmcloud.com/vulnerabilities/50964
PK88342CVE-2009-1955 : apr_xml_* interface vulnerability
https://exchange.xforce.ibmcloud.com/vulnerabilities/50994
PK79583mod_ldap retrys only once, without delay, when ldap_bind fails
PK84656Slow memory leak in rotatelogs
PK86338mod_mem_cache slow memory leak
PK86513mod_ibm_ssl session ID cache daemon (SIDD) started twice in error at HTTP Server startup
PK87590%{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive

Note: IBM HTTP Server 6.1.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 16 June 2009
Last modified: 16 June 2009
Status: Superseded

APARDescription
PK77458Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server
PK77969New log messages to explain the HTTP 403 error when PATH_MAX is exceeded
PK78007When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged
PK78073Can't configure mod_charset_lite to translate only mod_autoindex output
PK78128Set-Cookie and Set-Cookie2 headers not preserved on 304 responses
PK78333Translate 100-Continue responses to ASCII
PK79915Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates
PK81016mod_proxy_ftp cannot serve files with wildcards in their names
PK84899Failure and crash in IHS Administration Server during stop operation

Note: IBM HTTP Server 6.1.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 16 March 2009
Last modified: 16 March 2009
Status: Superseded

APARDescription
PK72236mod_charset_lite suppresses some browser error messages
PK74791SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake
PK75671When an invalid Expect header is received, IBM HTTP Server does not respond until timeout value has occured
PK75858The IBM HTTP Server parent process crashes while restarting piped logger if all file descriptors are exhausted
PK76105The directive 'CoreDumpDirectory' used to specify the location for locating core dumps was ignored for parent process crashes
PK76363Improve mod_mpmstats logging in IHS 6.X to display hanging modules in post_read_request hook


Note: IBM HTTP Server 6.1.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 01 December 2008
Last modified: 01 December 2008
Status: Superseded

APARDescription
PK70197CVE-2008-2939: mod_proxy_ftp unescaped wildcard
PK68182postinst returns an error when conf files are not present during service pack install
PK68392If a piped logger such as rotatelogs fails, a handle is leaked. On Windows, IBM HTTP Server is unable to restart the piped logger.
PK68688mod_proxy_connect may timeout when it processes incoming SSL requests where the SSL record length is between 8 and 16 kilobytes.
PK69212'SSLClientAuth required' directive triggers HTTP access control without notification to browser at SSL layer
PK70028mod_cgid tokenizing ISINDEX queries incorrectly resulting in NULL command line arguments not being passed to CGI scripts


Note: IBM HTTP Server 6.1.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 15 September 2008
Last modified: 15 September 2008
Status: Superseded

APARDescription
PK61608HTTP client certificate revocation status performance enhancement
PK64089Access log displays incorrect timezone offset
PK64092SSL0409I is sometimes logged when an SSL client disconnects
PK66154mod_cgid socket permissions problem & sidd socket permissions problem
PK66755IBM HTTP Server mod_rewrite RewriteMap directive can result in high CPU usage when thousands of strings are passed as keys
PK66924IBM HTTP Server does not correctly handle orphaned rotatelogs processes for the Windows operating system
PK67579CVE-2008-2364 HTTP proxy potential denial of service when proxying to untrusted servers
PK67658Recursive error document problem


Note: IBM HTTP Server 6.1.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 3 June 2008
Last modified: 3 June 2008
Status: Superseded

APARDescription
PK57549Upgrade GSKit to 7.0.4.14
PK58884IBM HTTP Server compression; AddOutputFilterByType directive did not apply to proxy requests
PK59667CVE-2007-6388 mod_status cross-site scripting vulnerability
PK61452Server Side Includes under mod_include are unreliable with output filters
PK62242Incorrect error handling in IBM HTTP Server when SIDD is not found under server root


Note: IBM HTTP Server 6.1.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.63.



Fix release date: 10 March 2008
Last modified: 10 March 2008
Status: Superseded

APARDescription
PK58024CVE-2007-5000 mod_imap cross-site scripting vulnerability
PK57952Input method not escaped in default 413 error response
PK57680High CPU loop in mod_ibm_ssl when poll returns unexpected events
PK58184rotatelogs ignores -l option when rotating files based on size
PK52726Allow Certificate Revocation List support to be used on HP-UX


Note: IBM HTTP Server 6.1.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.



Fix release date: 21 November 2007
Last modified: 21 November 2007
Status: Superseded

APARDescription
PK48412IBM HTTP Server logs bad date when certificate has expired
PK48505mod_deflate changed HTTP status to 500 for some errors
PK49295CVE-2006-5752 mod_status cross-site scripting vulnerability
PK49355CVE-2007-1863 mod_cache crash with malicious request
PK50460mod_deflate does not work with vary headers
PK50467CVE-2007-3304 MPM signalling vulnerability
PK50469CVE-2007-3847 proxy buffer over-read vulnerability
PK50274ikeyman could not create CMS key database when installed from 64-bit supplements CD


Note: IBM HTTP Server 6.1.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.0.61.



Fix release date: 07 September 2007
Last modified: 07 September 2007
Status: Superseded

APARDescription
PK48606mod_ibm_ssl fails to load at run-time on RHEL 5
PK45277Segmentation fault occurs when pidfile does not exist on Web server start
PK44274ProxyErrorOverride should not affect redirects
PK45296mod_ibm_ldap possible crash from uninitialized memory
PK45328Single DES is no longer an approved FIPS-140 security function



Fix release date: 15 June 2007
Last modified: 15 June 2007
Status: Superseded

APARDescription
PK39018Restart SIDD if it exits or crashes unexpectedly
PK38839Allow collection of coredumps and other serviceability data for SIGFPE crashes
PK37731No client certificate prompt occurred with multiple SSL vhosts configured
PK37809Empty response was sent for cached static files after revalidation timeout
PK46546 install_ihs command may not work for symbolic links



Fix release date: 5 April 2007
Last modified: 5 April 2007
Status: Superseded

APARDescription
PK33253 SSL virtualhosts unable to perform SSLV3 handshake when keyfile directive has been specified with an invalid parameter
PK34981The IBM HTTP Server administrative console incorrectly reports the stop/start status of the IBM HTTP Server
PK35675mod_mem_cache crashes when used with client certificate authentication
PK33959IBM HTTP Server service pack updates do not put correct reference values of customer's IBM HTTP Server install



Fix release date: 15 January 2007
Last modified: 15 January 2007
Status: Superseded

APARDescription
PK31460Observed strange browser behavior when receiving an HTTP 302 response over SSL through the reverse proxy
PK33959IBM HTTP Server service pack updates don't put correct reference values of customer's IBM HTTP Server install
PK34180Fix incorrect 304 responses for expired cache objects



Fix release date: 17 November 2006
Last modified: 17 November 2006
Status: Superseded

APARDescription
PK28348There is a bug in the handling of cgid directives inside VirtualHosts when using ScriptSock directive
PK28359Message "SSL0227E: SSL Handshake failed, specified label could not be found in the key file" occurs using n-cipher card
PK29154CVE-2006-3747 mod_rewrite error
PK30837MOD_IBM_LDAP problems when enabled in .htaccess files



Fix release date: 18 September 2006
Last modified: 18 September 2006
Status: Superseded

APARDescription
PK21998Provide directive for disabling individual SSL protocol
PK22995Excessive child process creation during startup
PK24631CVE-2006-3918 HTTP expect header value can be echoed to browser unescaped
PK24686CGI on UNIX and Linux cannot see path to script in ARG0
PK254286.0.x IBM HTTP Server Administration server periodically segfaults with _read_nocancel in /lib/tls/libpthread.so.0

mod_cache: Fix inconsistent results from requests which are implemented as subrequests.

Allow diagnostic modules to track activity in log-transaction hook

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.47;6.1.0.45;6.1.0.43;6.1.0.41;6.1.0.39;6.1.0.37;6.1.0.35;6.1.0.33;6.1.0.31;6.1.0.3;6.1.0.29;6.1.0.27;6.1.0.25;6.1.0.23;6.1.0.21;6.1.0.2;6.1.0.19;6.1.0.17;6.1.0.15;6.1.0.13;6.1.0.11;6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022

UID

swg27008517