IBM Support

Fix list for IBM HTTP Server Version 8.0

Product Documentation


IBM HTTP Server provides periodic fixes for release 8.0. The following is a complete listing of fixes for Version 8.0 with the most recent fix at the top.


Back to all versions

Fix Pack 15 (
Fix Pack 14 (
Fix Pack 13 (
Fix Pack 12 (
Fix Pack 11 (
Fix Pack 10 (
Fix Pack 9 (
Fix Pack 8 (
Fix Pack 7 (
Fix Pack 6 (
Fix Pack 5 (
Fix Pack 4 (
Fix Pack 3 (
Fix Pack 2 (
Fix Pack 1 (

Fix release date: 30 April 2018
Last modified: 30 April 2018
Status: Recommended

Download Fix Pack 15

PI87445CVE-2017-9798 for IBM HTTP Server
PI87663CVE-2017-12618 for IBM HTTP Server
PI90598CVE-2017-12613 for IBM HTTP Server
PI84868Disable the 3DES cipher by default in IBM HTTP Server.
PI85478Disable symmetric offload by default when IHS is configured to use a crypto card.
PI85561SSL Fallback Protection related errors with SSLProxyEngine ON
PI85702SAFRunAs %%CERTIF%% asks for basic auth credentials (z/OS only)
PI85804Improve password failure error messages in authnz_saf (z/OS only)
PI88232Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984.
PI88356Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. (z/OS only)
PI88553Print an error message that includes the errno and errno2 values if fail to find a specified saf-group.
PI90141IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to
PI90834abendoc4 in apr_pstrcat using saf-change-pw handler (z/OS only)
PI91075Add environment variable to record "SSLVersion" failure
PI91351Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical
PI91975The 'Header unset Content-Type' directive does not unset the Content-Type response header.
PI92017Include CGI program name when writing stderr to the error log when using mod_cgi
PI92053Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept()
PI92092FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix release date: 30 October 2017
Last modified: 30 October 2017
Status: Superseded

Download Fix Pack 14

PI73984CVE-2016-8743 for IBM HTTP Server
PI82260CVE-2017-3167 for IBM HTTP Server
PI82263CVE-2017-7668 for IBM HTTP Server
PI82481CVE-2017-7679 for IBM HTTP Server
PI69182IBM HTTP Server SSL cipher defaults may be displayed incorrectly on z/OS
PI72027IHS rewrite rule on IPV6 does not redirect correctly.
PI72350Fix potential crash in mod_mem_cache in IHS 8.5 and earlier.
PI72989Hangs related to mod_backtrace and mod_whatkilledus during a crash.
PI73027Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf.
PI73043Upgrade bundled GSKit security library
PI73661Session ID Daemon (sidd) memory leak
PI73819Allow an extended syntax for the SSLCipherSpec directive on z/OS (z/OS only)
PI74200Connection resets under heavy load when connecting to IHS on z/OS. (z/OS only)
PI75341/server-status doesn't display client IP until first request is read
PI76757Allow SSL handshake transcripts to be enabled or disabled
PI76874Further enhancements to PI50937 high cpu avoidance
PI78442Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error.
PI78767HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier.
PI80356Upgrade bundled GSKit security library
PI80447Disable MMAP for static files by default on z/OS (z/OS only)
PI81360Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names
PI81589Use ECDHE_RSA ciphers by default under TLS1.2 in IBM HTTP Server 8.0 and 8.5
PI81602Issues with updating SAF password when using Firefox or Chrome (z/OS only)
PI83257Reduce memory usage from long mod_rewrite configurations.
PI83350Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only)

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix release date: 20 February 2017
Last modified: 20 February 2017
Status: Superseded

Download Fix Pack 13

PI54962CVE-2016-0201 for IBM HTTP Server (GSKit upgrade)
PI63098CVE-2016-0718 for IBM HTTP Server (Distributed only)
PI65855CVE-2016-5387 for IBM HTTP Server
PI66849CVE-2012-0876, CVE-2012-1148, CVE-2016-4472
expat vulnerability fixes for IBM HTTP Server
PI49718Improve error_log reporting for 'SSLProxyEngine' handshake errors
PI49791Add the IfFile directive to allow processing directives based on file existance.
PI50376DGW compatibility for DOCUMENT_* CGI variables. (z/OS only)
PI50397No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only)
PI50514SSL session ID cache daemon (SIDD) creates unnecessary entries
PI50937Alleviate looping between SSL and GSKit (IBM Global Security Kit)
PI51185Enhancements allowing use of SAFRunAsEarly for certificate switching
PI52299TLS_FALLBACK_SCSV support for IBM HTTP Server
PI54415Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error
PI54757Delay allocating an IHS thread until data is available on a new inbound TCP connection.
PI54808RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only)
PI56034No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS.
PI57543Allow one address space per rotatelogs process to be conserved. (z/OS only)
PI57657INSTCONFPARTIALSUCCESS when the IBM HTTP Server installer cannot determine a local hostname.
PI58218IBM HTTP Server 'mod_cache' fixes.
PI59374Certificate expiration reporting for IBM HTTP Server.
PI59561Add pre/post password hooks to mod_authnz_saf. (z/OS only)
PI60207Upgrade bundled GSKit security library to (Distributed only)
PI60784IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled. (Distributed only)
PI62663Some Server Side Includes (SSI) may not be translated as expected (z/OS only)
PI63482Add a private header with password change information for 401 response.
PI63682IHS mod_status displays many 'NULL' strings in request column.
PI64346SetEnvIf may be skipped with SAF auth enabled (z/OS only)
PI66183When MFA is configured, SAFRunAs fails with a permission error (z/OS only)
PI66695mod_reqtimeout can cause ' Async IO operation failed'
PI66787Session cache daemon (sidd) memory leak
PI66931Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance.
PI67595AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only)
PI70024Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging
PI70496Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost.
PI70829Provide additional message information for IBM HTTP Server TLS handshakes

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 01 February 2016
Last modified: 01 February 2016
Status: Superseded

Download Fix Pack 12

PI42928CVE-2015-3183 for IBM HTTP Server
PI44793CVE-2015-4947 for IBM HTTP Server Administration Server
PI44809CVE-2015-1788 for IBM HTTP Server
PI45596CVE-2015-1283 for IBM HTTP Server
PI52395CVE-2015-7420 for IBM HTTP Server
PI40885The 'SAFRunAs' directive implicitly requires access to the "OMVSAPPL" class in some RACF configurations (z/OS only)
PI40952Preserve quoting in SSLServerCert directive
PI45005Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid (z/OS only)
PI45740Encoding error on RewriteRule
PI46559The setupadm script on Linux fails to use an existing group without the -create parameter
PI46616Allow RewriteRule to use colon (':') in header names and values
PI46868REXX CGI'S may display as text in the browser (z/OS only)
PI47198IHS caching partial response for chunked responses
PI47605Support -t -DDUMP_SSL_CONFIG and -t -DDUMP_SSL_CIPHERS on Microsoft Windows
PI47642Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel
PI47445IHS V7.0 and V8.0 fail to start when using CharsetOptions NoImplicitAdd. (z/OS only)
PI48695DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only)
PI49165Add new request time logging formats
PI49473IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 17 August 2015
Last modified: 17 August 2015
Status: Superseded

Download Fix Pack 11

PI31516CVE-2014-8730: Enable strict CBC padding checks on TLS connections
PI34229Disable RC4-based TLS ciphers by default in IBM HTTP Server
PI36417CVE-2015-0138 for IBM HTTP Server
PI39833CVE-2015-1829 for IBM HTTP Server on Windows
PI28735ErrorDocument redirection for status code 414 (Request URI too long) does not work
PI30093Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server configuration global
PI30323Add support for dual-mode ECDSA/RSA SSL virtual hosts
PI31566Allow IBM HTTP Server RLimit* directives to reduce hard limits
PI32841Some cipher names and keysizes are not logged when using %(SSL_CIPHER)e in LogFormat for access log
PI35219SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF'
PI34017HTTP error 413 on static files results in a duplicate error message
PI35073IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in
PI35219ABEND0C1 when running install_ihs on z/OS
PI38322Allow mod_cache to ignore an 'Authorization' HTTP request header
PI38562CGI resources are briefly unavailable just after a restart
PI38828Enable unified config dump
PI38835IBM HTTP Server cannot log time-to-first-byte (TTFB)
PI39439DGW-style SSL environment variables are not set

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix release date: 16 February 2015
Last modified: 16 February 2015
Status: Superseded

Download Fix Pack 10

PI19700CVE-2014-0076: Local side-channel attack on ECDSA (GSKit upgrade)
PI22070Multiple Apache web server vulnerabilities:
CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core)
PI27904CVE-2014-3566: IBM HTTP Server should disable weak SSL protocols and ciphers by default
PI17434SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only)
PI19581IBM HTTP Server modules specified without a path don't load
PI23005Allow logging of time taken during SSL handshake
PI24257'Header edit* ...' directive not accepted by IBM HTTP Server
PI25783Fatal getpwuid() error at IBM HTTP Server startup (z/OS only)
PI26507mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only)
PI26894Increase security libraries to resolve high CPU loop on 64bit Microsoft Windows
(GSKit upgrade to

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix release date: 23 June 2014
Last modified: 23 June 2014
Status: Superseded

Download Fix Pack 9

PI05309CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade).
PI09345CVE-2013-6438: Potential Denial of Sevice in mod_dav for IBM HTTP Server.
PI09443CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade).
PI13028CVE-2014-0098: mod_log_config - Potential denial of service vulnerability
PI17025CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL
PM97650IBM HTTP Server does not send SIGTERM to fastCGI application
PI04922IBM HTTP Server scaling/processing threads limited on 64-bit Microsoft Windows
PI06366IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6
PI08502Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade).
PI08715Potential mod_proxy crashes under load
PI13422Memory leak in GSKit 8.0.50 (GSKit upgrade)
PI15344IBM HTTP Server caching issues
PI16599Authentication failure gives LDAP error for non-LDAP configurations

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.

Fix release date: 13 January 2014
Last modified: 13 January 2014
Status: Superseded

Download Fix Pack 8

PM94008Timed-out ldap bind and search failures on reused connections are not retried
PM94143Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only)
PM94602ProxyRemote fails to work with SSL requests
PM96039The AcceptEx disablement notice should not appear in Windows Event Viewer

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.

Fix release date: 19 August 2013
Last modified: 19 August 2013
Status: Superseded

Download Fix Pack 7

PM85211CVE-2013-0169: TLS Vulnerability
PM87808CVE-2013-1862: mod_rewrite vulnerability
PM89996CVE-2013-1896: mod_dav vulnerability
PM84215mod_mpmstats may report incorrect values during startup or shutdown
PM87247Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive
PM89422IHS WebDAV requests slow on Windows

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.25.

Fix release date: 29 April 2013
Last modified: 29 April 2013
Status: Superseded

Download Fix Pack 6

PM76110CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down
PM80058CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules
PM69188Installation of IBM HTTP Server completes with a warning. Failure occurs because the system's hostname is not set.
PM70994SSLFakeBasicAuth depends on LoadModule order
PM71102<Location> settings don't affect some mod_negotiation generated content
PM73304Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server
PM75876The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules.
PM77980IBM HTTP Server should not add the Server: header by default
PM78087IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI}
PM78144IBM HTTP Server large logformats cannot be correctly logged by piped loggers
PM78434Provide end-to-end timeouts for SSL handshakes
PM79015mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed'
PM80235NIST SP800-131a support for IBM HTTP Server

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.

Fix release date: 12 November 2012
Last modified: 12 November 2012
Status: Superseded

Download Fix Pack 5

PM66470CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site
PM72915TLS compression should be disabled by default in IBM HTTP Server
PM63634admin.password file was reset after installing fix pack
PM68007Non-root IBM HTTP Server install fails if primary group has no name
PM70591IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.'
PM71612Additional non-serviceable files added for IBM HTTP Server.

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.

Fix release date: 06 August 2012
Last modified: 06 August 2012
Status: Superseded

Download Fix Pack 4

PM58899CVE-2012-0883: IBM HTTP Server incorrectly sets paths for startup
PM66218Upgrade bundled GSKit security library
PM56585mod_authnz_ldap can generate many unnecessary ldap queries while processing 'Require group'
PM57197Enhancements to IBM HTTP Server serviceability capabilities for hung threads and slow modules.
PM58545mod_perl build cannot find "OPT_INCNOEXEC"
PM62011mod_log_config: The wrong cookie can be logged

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.

Fix release date: 16 April 2012
Last modified: 16 April 2012
Status: Superseded

Download Fix Pack 3

PM52351CVE-2012-0717: SSLClientAuth Required_reset is not enforced for SSLv2 connections.
PM55760CVE-2012-0031: Possible parent process crash when untrusted code is run in child.
PM56128CVE-2012-0053: Possible httpOnly cookie disclosure on compromised site.
PM53340Incorrect request body handling with Expect: 100-continue.
PM54289install_ihs script results in errors in the postinstall process. (z/OS only)
PM54387ABEND EC6 after IHS shutdown when using piped loggers. (z/OS only)

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.22.

Fix release date: 16 January 2012
Last modified: 16 January 2012
Status: Superseded

Download Fix Pack 2

PM47852CVE-2011-3348: mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized.
PM48384CVE-2011-3368, CVE-2011-3639, CVE-2011-4317: Potential pattern expansion problem when mod_proxy and mod_rewrite are used together.
PM50426CVE-2011-3607: Potential buffer overflow and high memory usage in IBM HTTP Server (ap_pregsub)
PM43037ProxyPass broken due to ebcdic to ascii translation issue with interim response headers
PM43354No error message for rotatelogs syntax errors
PM44635IHS returns 500 instead of 401 for a revoked SAF userid
PM44816Provide end-to-end timeouts for slow requests
PM45618IHS threads can hang in ldap_bind() without any timeout
PM47429IHS mod_ldap fails at runtime with 'SSL support failed initialization'
PM49573IHS startup failure on Windows: 'master_main: create child process failed.'

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.21.

Fix release date: 26 September 2011
Last modified: 26 September 2011
Status: Superseded

Download Fix Pack 1

PM38826CVE-2011-0419: apr_fnmatch() routine can result in high CPU with use of mod_autoindex
PM46234CVE-2011-3192: Potential Denial of Service with malicious range requests
PM27886Provide secure SSL renegotiation
PM37261Use of RLimitMEM and RLimitCPU with mod_cgid on IHS 7.0 fails with an Out of Memory error on Unix
PM37405mod_authnz_saf on z/OS does not allow user to control behavior when user password is expired
PM38313Piped loggers that continuously restart cause pipe and file descriptor leaks

Note: IBM HTTP Server contains all applicable security fixes in Apache HTTP Server versions up through 2.2.20.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":";;;;;;;;;;;;;;;8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 September 2022