About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 7.0. The following is a complete listing of fixes for Version 7.0 with the most recent fix at the top.
Content
Note: There is no Fix Pack 1 delivered for IBM HTTP Server. Fix Pack 3 is the first maintenance Fix Pack delivered for IBM HTTP Server V7.0, then odd numbered Fix Packs going forward.
| Fix release date: 30 April 2018 Last modified: 30 April 2018 Status: Recommended  Download Fix Pack 45 | |
| APAR | Description |
| PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
| PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
| PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
| PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
| PI91913 | CVE-2018-1388 for IBM HTTP Server (ROBOT for GSKit). http://www-01.ibm.com/support/docview.wss?uid=swg22014196 |
| PI75341 | /server-status doesn't display client IP until first request is read |
| PI76757 | Allow SSL handshake transcripts to be enabled or disabled |
| PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error. |
| PI78767 | HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier. |
| PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) |
| PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names |
| PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) |
| PI83257 | Reduce memory usage from long mod_rewrite configurations. |
| PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) |
| PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. |
| PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials (z/OS only) |
| PI85804 | Improve password failure error messages in authnz_saf (z/OS only) |
| PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. |
| PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. (z/OS only) |
| PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. |
| PI89257 | Error opening new SSL keystores with IHS 7.0 |
| PI91075 | Add environment variable to record "SSLVersion" failure |
| PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. |
| PI93619 | Upgrade bundled GSKit security library (GSKit upgrade to 7.0.5.15) |
Note: IBM HTTP Server 7.0.0.45 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
| Fix release date: 24 April 2017 Last modified: 24 April 2017 Status: Superseded  Download Fix Pack 43 | |
| APAR | Description |
| PI63098 | CVE-2016-0718 for IBM HTTP Server (Distributed only) http://www-01.ibm.com/support/docview.wss?&uid=swg21988026 |
| PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
| PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
| PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21996847 |
| PI56034 | No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS. |
| PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) |
| PI58218 | IBM HTTP Server mod_cache fixes. |
| PI59561 | Add pre/post password hooks to mod_authnz_saf. (z/OS only) |
| PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) |
| PI63482 | Add a private header with password change information for 401 response. |
| PI63682 | IHS mod_status displays many 'NULL' strings in request column. |
| PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) |
| PI66695 | mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed' |
| PI66787 | Session cache daemon (sidd) memory leak |
| PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) |
| PI70024 | Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging |
| PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. |
| PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes |
| PI72027 | IHS rewrite rule on IPV6 does not redirect correctly. |
| PI72350 | Potential crash in mod_mem_cache in IHS 8.5 and earlier. |
| PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf |
Note: IBM HTTP Server 7.0.0.43 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32.
| Fix release date: 11 April 2016 Last modified: 11 April 2016 Status: Superseded  Download Fix Pack 41 | |
| APAR | Description |
| PI45005 | Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid |
| PI46616 | Allow RewriteRule to use colon (':') in header names and values |
| PI46868 | REXX CGI'S may display as text in the browser |
| PI47198 | IHS caching partial response for chunked responses |
| PI47445 | IHS V7.0 and V8.0 fail to start when using CharsetOptions NoImplicitAdd. (z/OS only) |
| PI47642 | Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel |
| PI47828 | IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only) |
| PI48695 | DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only) |
| PI49165 | Add new request time logging formats |
| PI49473 | IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin |
| PI49718 | Improve error_log reporting for 'SSLProxyEngine' handshake errors |
| PI49791 | Add the IfFile directive to allow processing directives based on file existance |
| PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) |
| PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) |
| PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries |
| PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching |
| PI52299 | TLS_FALLBACK_SCSV support for IBM HTTP Server |
| PI54415 | Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error |
| PI54757 | Delay allocating an IHS thread until data is available on a new inbound TCP connection. |
| PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded |
Note: IBM HTTP Server 7.0.0.41 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 02 November 2015 Last modified: 02 November 2015 Status: Superseded  Download Fix Pack 39 | |
| APAR | Description |
| PI34229 | Disable RC4-based TLS ciphers by default in IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21701072 |
| PI36417 | CVE-2015-0138 for IBM HTTP Server (GSKit upgrade to 7.0.5.5) http://www-01.ibm.com/support/docview.wss?uid=swg21698959 |
| PI39833 | CVE-2015-1829 for IBM HTTP Server on Windows http://www-01.ibm.com/support/docview.wss?uid=swg21959081 |
| PI42928 | CVE-2015-3183: Incorrect parsing of chunked headers http://www-01.ibm.com/support/docview.wss?uid=swg21963361 |
| PI44793 | CVE-2015-4947 in IBM HTTP Server Administration Server http://www-01.ibm.com/support/docview.wss?uid=swg21965419 |
| PI45596 | CVE-2015-1283 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21964428 |
| PI33527 | SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF' |
| PI34017 | HTTP error 413 on static files results in a duplicate error message. |
| PI35073 | IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in. |
| PI35219 | ABEND0C1 when running install_ihs |
| PI38322 | Allow mod_cache to ignore an 'Authorization' HTTP request header. |
| PI38562 | CGI resources are briefly unavailable just after a restart |
| PI38828 | Enable unified config dump |
| PI38835 | IBM HTTP Server cannot log time-to-first-byte (TTFB) |
| PI40952 | Preserve quoting in SSLServerCert directive |
| PI45740 | Encoding error on RewriteRule |
Note: IBM HTTP Server 7.0.0.39 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 13 March 2015 Last modified: 13 March 2015 Status: Superseded  Download Fix Pack 37 | |
| APAR | Description |
| PI31516 | CVE-2014-8730: Enable strict CBC padding checks on TLS connections http://www-01.ibm.com/support/docview.wss?&uid=swg21697369 |
| PI27904 | IBM HTTP Server should disable weak SSL protocols and ciphers by default |
| PI23005 | Allow logging of time taken during SSL handshake |
| PI24257 | 'Header edit* ...' directive not accepted by IBM HTTP Server |
| PI25783 | Fatal getpwuid() error at IBM HTTP Server startup (z/OS only) |
| PI26507 | mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only) |
| PI28735 | ErrorDocument redirection for status code 414 (Request URI too long) does not work |
| PI30093 | Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server global configuration |
| PI31566 | Allow IBM HTTP Server RLimit* directives to reduce hard limits |
Note: IBM HTTP Server 7.0.0.37 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 13 October 2014 Last modified: 13 October 2014 Status: Superseded  Download Fix Pack 35 | |
| APAR | Description |
| PI22070 | Multiple Apache web server vulnerabilities: CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core) http://www-01.ibm.com/support/docview.wss?&uid=swg21684612 |
| PI17434 | SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only) |
| PI19581 | IBM HTTP Server modules specified without a path don't load |
Note: IBM HTTP Server 7.0.0.35 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 23 June 2014 Last modified: 23 June 2014 Status: Superseded  Download Fix Pack 33 | |
| APAR | Description |
| PI05309 | CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI09345 | CVE-2013-6438: Potential Denial of Sevice in mod_dav for IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI09443 | CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI13028 | CVE-2014-0098: mod_log_config - Potential denial of service vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PI17025 | CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL http://www-01.ibm.com/support/docview.wss?&uid=swg21676091 |
| PM97650 | IBM HTTP Server does not send SIGTERM to fastCGI application |
| PI06366 | IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6 |
| PI08502 | Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade). |
| PI08715 | Potential mod_proxy crashes under load |
| PI15344 | IBM HTTP Server caching issues |
| PI16599 | Authentication failure gives LDAP error for non-LDAP configurations |
Note: IBM HTTP Server 7.0.0.33 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.
| Fix release date: 13 January 2014 Last modified: 13 January 2014 Status: Superseded  Download Fix Pack 31 | |
| APAR | Description |
| PM87808 | CVE-2013-1862: mod_rewrite vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21661323 |
| PM89996 | CVE-2013-1896: mod_dav vulnerability http://www-01.ibm.com/support/docview.wss?uid=swg21661323 |
| PM84215 | mod_mpmstats may report incorrect values during startup or shutdown |
| PM89422 | IHS WebDAV requests slow on Windows. |
| PM94008 | Timed-out ldap bind and search failures on reused connections are not retried |
| PM94143 | Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only) |
| PM94602 | ProxyRemote fails to work with SSL requests |
| PM96039 | The AcceptEx disablement notice should not appear in Windows Event Viewer |
Note: IBM HTTP Server 7.0.0.31 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.
| Fix release date: 24 June 2013 Last modified: 24 June 2013 Status: Superseded  Download Fix Pack 29 | |
| APAR | Description |
| PM76110 | CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down |
| PM80058 | CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360 |
| PM85211 | CVE-2013-0169: TLS Vulnerability (This fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 |
| PM75876 | The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules. |
| PM77980 | IBM HTTP Server should not add the Server: header by default |
| PM78087 | IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI} |
| PM78144 | IBM HTTP Server large logformats cannot be correctly logged by piped loggers |
| PM79015 | mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed' |
Note: IBM HTTP Server 7.0.0.29 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
| Fix release date: 21 January 2013 Last modified: 21 January 2013 Status: Superseded  Download Fix Pack 27 | |
| APAR | Description |
| PM70591 | IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.' |
| PM70994 | SSLFakeBasicAuth depends on LoadModule order |
| PM71102 | <Location> settings don't affect some mod_negotiation generated content |
| PM73304 | Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server |
Note: IBM HTTP Server 7.0.0.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
| Fix release date: 24 September 2012 Last modified: 24 September 2012 Status: Superseded  Download Fix Pack 25 | |
| APAR | Description |
| PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site. |
| PM62011 | mod_log_config: The wrong cookie can be logged |
| PM66218 | Upgrade bundled GSKit security library |
Note: IBM HTTP Server 7.0.0.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
| Fix release date: 28 May 2012 Last modified: 28 May 2012 Status: Superseded  Download Fix Pack 23 | |
| APAR | Description |
| PM52351 | CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections. https://exchange.xforce.ibmcloud.com/vulnerabilities/73749 |
| PM55760 | CVE-2012-0031: Possible parent process crash when untrusted code is run in child. https://exchange.xforce.ibmcloud.com/vulnerabilities/72377 |
| PM56128 | CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site. https://exchange.xforce.ibmcloud.com/vulnerabilities/72758 |
| PM58899 | CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup https://exchange.xforce.ibmcloud.com/vulnerabilities/74901 |
| PM53340 | Incorrect request body handling with Expect: 100-continue. |
| PM54289 | install_ihs script results in errors in the postinstall process. (z/OS only) |
| PM54387 | ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only) |
| PM56585 | mod_authnz_ldap can generate many unnecessary ldap queries while processing 'Require group' |
| PM57197 | Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules. |
| PM58545 | mod_perl build cannot find "OPT_INCNOEXEC" in IHS 7.0 |
Note: IBM HTTP Server 7.0.0.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.
| Fix release date: 16 January 2012 Last modified: 16 January 2012 Status: Superseded  Download Fix Pack 21 | |
| APAR | Description |
| PM46234 | CVE-2011-3192: Potential Denial of Service with malicious range requests https://exchange.xforce.ibmcloud.com/vulnerabilities/69396 |
| PM47852 | CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized. |
| PM48384 | CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together. |
| PM50426 | CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub) |
| PM43037 | ProxyPass broken due to ebcdic to ascii translation issue with interim response headers |
| PM43354 | No error message for rotatelogs syntax errors |
| PM44635 | IHS returns 500 instead of 401 for a revoked SAF userid |
| PM44816 | Provide end-to-end timeouts for slow requests |
| PM45618 | IHS threads can hang in ldap_bind() without any timeout |
| PM47429 | IHS mod_ldap fails at runtime with 'SSL support failed initialization' |
| PM49573 | IHS startup failure on Windows: 'master_main: create child process failed.' |
Note: IBM HTTP Server 7.0.0.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.
| Fix release date: 12 September 2011 Last modified: 12 September 2011 Status: Superseded  Download Fix Pack 19 | |
| APAR | Description |
| PM38826 | CVE-2011-0419 apr_fnmatch() routine can result in high CPU with use of mod_autoindex https://exchange.xforce.ibmcloud.com/vulnerabilities/67414 |
| PM27886 | Upgrade bundled GSKit security library including secure SSL renegotiation |
| PM31189 | URL containing "%2F" is being decoded to "/" with AllowEncodedSlashes On |
| PM35469 | Network fragmentation occurs with SSL and mod_deflate |
| PM37261 | Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix |
| PM37405 | mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired |
| PM38313 | Piped loggers that continuously restart cause pipe and file descriptor leaks |
Note: IBM HTTP Server 7.0.0.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.19.
| Fix release date: 16 May 2011 Last modified: 16 May 2011 Status: Superseded  Download Fix Pack 17 | |
| APAR | Description |
| PM26041 | SSL forward proxy closes idle connections during graceful process exit |
| PM31763 | 'Header edit' deletes multiple headers |
Note: IBM HTTP Server 7.0.0.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.
| Fix release date: 28 February 2011 Last modified: 28 February 2011 Status: Superseded  Download Fix Pack 15 | |
| APAR | Description |
| PM23263 | CVE-2010-1623: apr-util vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/62235 |
| PM24234 | CVE-2009-3560 & CVE-2009-3720: mod_dav UTF-8 sequence handling problem https://exchange.xforce.ibmcloud.com/vulnerabilities/54598 https://exchange.xforce.ibmcloud.com/vulnerabilities/52686 |
| PM20672 | IHS SSL initialization fails if SSLClientAuthRequire or SSLClientAuthGroup ends with an unquoted string |
| PM20934 | "MaxClients reached" message can occur prematurely |
Note: IBM HTTP Server 7.0.0.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.17.
| Fix release date: 25 October 2010 Last modified: 25 October 2010 Status: Superseded  Download Fix Pack 13 | |
| APAR | Description |
| PM16366 | CVE-2010-2068: mod_proxy_http vulnerability for Windows platform |
| PM18904 | CVE-2010-1452: mod_dav vulnerability |
| PM00138 | mod_fastcgi: Intermittent Connection Refused error at startup when using FastCGI |
| PM14028 | mod_deflate: Invalid Etag emitted |
| PM15623 | mod_ldap and mod_authnz_ldap: Nested group failures |
| PM17269 | When SSLUnknownRevocationStatus is not explicitly configured, a SSL0275E debug message is logged at notice level |
Note: IBM HTTP Server 7.0.0.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.16.
| Fix release date: 18 June 2010 Last modified: 18 June 2010 Status: Superseded  Download Fix Pack 11 | |
| APAR | Description |
| PM08939 | CVE-2010-0434: mod_headers / CVE-2010-0408 |
| PM07113 | Update GSKit to 7.0.4.28 |
| PM04628 | gsk7cmd/gsk7capicmd parsing error on '-dn' <dist name> for organization unit (O=) with a space in the name |
| PM07976 | apachectl start or stop can fail in some locales (z/OS only) |
| PM09819 | IBM HTTP Server error log warning; "Not owner: processor unbind failed -1" in an AIX WPAR environment |
| PM10270 | IBM HTTP Server can fail during an upload that is greater than 2GB if SSL is used |
Note: IBM HTTP Server 7.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.15.
| Fix release date: 29 March 2010 Last modified: 29 March 2010 Status: Superseded  Download Fix Pack 9 | |
| APAR | Description |
| PK96858 | CVE-2009-3094 & CVE-2009-3095: mod_proxy_ftp vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/53041 |
| PM00675 | CVE-2009-3555: TLS/SSL protocol MITM vulnerability More info |
| PK92520 | Request for a URI with a long file path can fail on z/OS |
| PK96600 | Prevent runaway forking if the accept mutex is damaged |
| PK94007 | mod_mem_cache: segmentation fault |
| PK95497 | IBM HTTP Server may fail to ignore some cache related headers even when CacheIgnoreHeaders is configured |
| PK96410 | Intermittent error reading status line with http proxy |
| PK96500 | mod_mem_cache, mod_disk_cache: IBM HTTP Server should not cache incomplete responses |
| PK97740 | IBM HTTP Server does not log 408 to the access log when an HTTP request is not sent within the timeout period |
| PK98225 | Cache responses with s-maxage set |
| PK99128 | IBM HTTP Server won't start on z/OS after install_ihs creates symlinks to version root |
| PM00101 | GSKit crash on Microsoft Windows 32bit or AIX operating systems plus purify |
| PM00136 | "apachectl stop" fails if the z/OS resolver is down |
Note: IBM HTTP Server 7.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.14.
| Fix release date: 13 November 2009 Last modified: 13 November 2009 Status: Superseded  Download Fix Pack 7 | |
| APAR | Description |
| PK88341 | CVE-2009-0023: Underflow in apr_strmatch_precompile & CVE-2009-1956: apr_brigade_vprintf off-by-one overflow vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50964 |
| PK88342 | CVE-2009-1955: apr_xml_* interface vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/50994 |
| PK91259 | CVE-2009-1890: mod_proxy_http vulnerability |
| PK91361 | CVE-2009-1891: mod_deflate vulnerability https://exchange.xforce.ibmcloud.com/vulnerabilities/51626 |
| PK93225 | CVE-2009-2412: Apache Portable Runtime memory allocation functions can return invalid pointers |
| PK87590 | %{SERVER_PORT} variable incorrectly resolves to '80' when SSL issued but no port number is provided on the ServerName directive |
| PK87717 | mod_charset_lite translates inbound HTTP request bodies |
| PK90571 | When HTTP Server is configured to use SSL reverse proxy, segmentation faults may occur |
| PK93106 | Cannot configure IHS response to unknown revocation status via OCSP |
| PK93112 | Disable SSLv3 protocol when SSLFIPSEnable is configured |
| PK93510 | Piped errorlog loses initialization error message |
Note: IBM HTTP Server 7.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.13.
| Fix release date: 27 July 2009 Last modified: 27 July 2009 Status: Superseded  Download Fix Pack 5 | |
| APAR | Description |
| PK86232 | CVE-2009-1195: 'AllowOverride Options=IncludesNOEXEC' allows override of includes with exec https://exchange.xforce.ibmcloud.com/vulnerabilities/50808 |
| PK77458 | Cached responses contain incorrect Content-Type and Content-Encoding headers on IBM HTTP Server |
| PK78007 | When an SSL request arrives shortly after an IHS restart, a SSL0600S error is logged |
| PK78073 | Can't configure mod_charset_lite to translate only mod_autoindex output |
| PK78299 | Allow startup of IBM Administration Server by a non-root userid |
| PK78333 | Translate 100-Continue responses to ASCII |
| PK79583 | LDAP retry logic insufficient on transient LDAP errors |
| PK79915 | Slow memory leak on z/OS when IBM HTTP Server is configured to request client SSL Certificates |
| PK81016 | mod_proxy_ftp cannot serve files with wildcards in their names |
| PK81733 | mod_authnz_ldap can't pass filter simple enough to support SDBM-backed LDAP (RACF over LDAP) |
| PK83734 | Can't create CMS keyfile with IHS 7.0 from 64-bit Supplemental media on z/Linux |
| PK84899 | Failure and crash in IHS Administration Server during stop operation |
Note: IBM HTTP Server 7.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.
| Fix release date: 27 March 2009 Last modified: 27 March 2009 Status: Superseded  Download Fix Pack 3 | |
| APAR | Description |
| PK72236 | mod_charset_lite suppresses some browser error messages |
| PK74791 | SSL0267E doesn't distinguish between timeouts establishing and completing the SSL handshake |
Note: IBM HTTP Server 7.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.11.
[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.45;7.0.0.43;7.0.0.41;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.3;7.0.0.29;7.0.0.27;7.0.0.25;7.0.0.23;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.45;7.0.0.43;7.0.0.41;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.3;7.0.0.29;7.0.0.27;7.0.0.25;7.0.0.23;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
More support for:
IBM HTTP Server
Software version:
7.0.0.9, 7.0.0.7, 7.0.0.5, 7.0.0.45, 7.0.0.43, 7.0.0.41, 7.0.0.39, 7.0.0.37, 7.0.0.35, 7.0.0.33, 7.0.0.31, 7.0.0.3, 7.0.0.29, 7.0.0.27, 7.0.0.25, 7.0.0.23, 7.0.0.21, 7.0.0.19, 7.0.0.17, 7.0.0.15, 7.0.0.13, 7.0.0.11, 7.0
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Document number:
321319
Modified date:
07 September 2022
UID
swg27014506
Manage My Notification Subscriptions