Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 8.5. The following is a complete listing of fixes, with the most recent fix at the top.
Content
 | Back to all versions |
 Download Fix Pack 8.5.5.28 | |
Security APAR | APAR | Description |
| PH65829 | Ensure embedded expat library is always used with an entity handler. |
Notes:
- IBM HTTP Server 8.5.5.28 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.
- IBM HTTP Server 8.5.5.28 with PH68462 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.66
Download Fix Pack 8.5.5.27 | |
Security APAR | APAR | Description |
| ✓ | PH61893 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-38476 and more) |
| ✓ | PH62263 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-40725, CVE-2024-40898) |
| PH61590 | Trigger operator console or CEEDUMP for children that are slow to exit during shutdown | |
| PH62717 | Restrict read permissions on files used to establish SysV shared memory | |
| PH62889 | Instrument more Apache hooks with %{RH}e | |
| PH63077 | Port fixes from libexpat 2.6.3 | |
| PH64037 | Backport fixes from expat-2.6.4 | |
| PH64942 | GSKit 8.0.60.x toleration and non-libcurl CRL/OCSP client |
Notes:
- IBM HTTP Server 8.5.5.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.
- IBM HTTP Server 8.5.5.27 with IFPH67513 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.64
Download Fix Pack 8.5.5.26 | |
Security APAR | APAR | Description |
| ✓ | PH59697 | IBM HTTP Server is vulnerable to a denial of service due to libexpat (CVE-2023-52425 CVSS 7.5). |
| ✓ | PH60619 | IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5). |
| PH59012 | Fix possible crashes at the end of apachectl -t. z/OS only. | |
| PH59165 | bin/envvars in newly created IHS instances now enables HEAPPOOLS and HEAPPOOLS64 by default. z/OS only. | |
| PH60306 | Avoid crash during graceful exit after thread creation errors. | |
| PH60645 | Stop reporting a generic SSL0212E for some obscure cases where SSLHandhsakeTimeout was explicitly triggered. | |
| PH60863 | Potential crash on Windows at shutdown or when exiting due to MaxRequestsPerChild. |
Notes:
- IBM HTTP Server 8.5.5.26 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.
Download Fix Pack 8.5.5.25 | |
Security APAR | APAR | Description |
| PH55613 | Resolve some cases of "Configuration errors were detected during the installation" due to deleted files | |
| PH56093 | IHS child processes crash leaks 1 message queue | |
| PH56308 | Default ExtendedStatus to ON | |
| PH56340 | Extended reporting of some startup errors | |
| PH56383 | Connection not closed as expected after first response of HTTP request smuggling test | |
| PH57408 | Log consecutive failing accept() calls and give the option to gracefully exit. z/OS only. |
Notes:
- IBM HTTP Server 8.5.5.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
- IBM HTTP Server 8.5.5.25 + IFPH60619 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
Download Fix Pack 8.5.5.24 | |
Security APAR | APAR | Description |
| ✓ | PH51982 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server and Apache Portable Runtime. |
| ✓ | PH52546 | IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342). |
| ✓ | PH52754 | IBM HTTP Server is vulnerable to a denial of service (CVE-2023-26281). |
| ✓ | PH53014 | IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690). |
| PH44893 | Update GSKit to 8.0.55.31 for new RNG. | |
| PH51473 | Remove RSA key exchange ciphers from defaults. | |
| PH52642 | Improve error log message for invalid HTTP header name or value by identifying the first bad character. | |
| PH53848 | Add %{tzoff}t alternative to %{%z}t on Windows. | |
| PH54015 | RewriteRule trailing question mark errors with IFPH53014. | |
| PH54894 | Add OCSPCacheSize directive to control the OCSP cache size. | |
| PH55007 | bin/set_attributes.sh warning about chatr. |
Notes:
- IBM HTTP Server 8.5.5.24 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.57.
Download Fix Pack 8.5.5.23 | |
Security APAR | APAR | Description |
| ✓ | PH46897 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813, CVE-2022-28614). |
| ✓ | PH49572 | Update bundled expat for CVE-2022-40674. |
| ✓ | PH50316 | Update bundled expat for CVE-2022-43680, CVE-2017-9233, and CVE-2013-0340. |
| PH47348 | Add KeepAliveTimeoutDelay to help avoid keepalive races. | |
| PH47518 | Report the average response time of active requests in the WAS plug-in along with WAS plug-in specific request states: TPCN, TPSB, TPWR, TPRB. | |
| PH47792 | z/OS keepalive timeout is wrong for slow responses. | |
| PH48168 | mod_authnz_saf rejects password with a single slash. | |
| PH49311 | Upgrade GSKit to 8.0.55.29: TLSv1.3 client authentication failures with GNUTLS-based clients. |
Notes:
- IBM HTTP Server 8.5.5.23 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
Security APAR | APAR | Description |
| ✓ | PH43122 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more) |
| ✓ | PH44271 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236) |
| ✓ | PH44829 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721) |
| PH43696 | With SSLFIPSEnable and SSLProxyEngine enabled, handshakes may fail with GSK_ERROR_UNSUPPORTED. | |
| PH44114 | IHS may appear to hang if MaxRequestsPerChild is non-zero, because a replacement process will not be launched. | |
| PH44330 | IBM HTTP Server has unnecessary APF authorization on binary files. | |
| PH46094 | Provide option to increase logging level of TrackHooksOptions logslow. |
Notes:
- IBM HTTP Server 8.5.5.22 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
Fix release date: 14 February 2022 Last modified: 21 February 2022 Status: Superseded  Download Fix Pack 21 | |
Security APAR | APAR | Description |
| ✓ | PH40343 | Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server |
| PH22727 | Keepalive connections may be closed up to 100ms early | |
| PH37899 | Enhance mod_whatkilledus to print backtraces | |
| PH38515 | z/OS: ErrorDocuments that specify literal strings were not translated correctly from EBCDIC to ASCII | |
| PH39660 | z/OS: IHS may crash at startup in the sigaction() system call | |
| PH40832 | Upgrade GSKit to 8.0.55.25 | |
| PH41075 | z/OS: When the IHS parent process crashes, the started task ends but other child processes are not automatically terminated | |
| PH41413 | z/OS: Recover from a stale logs/httpd.pid file | |
| PH41891 | Backport rotatelogs improvements from 9.0/2.4 | |
| PH42030 | IHS may crash in the sidDelete function | |
| PH42072 | Potential crash with LDAP: set_parent_child_pointers |
Notes:
- IBM HTTP Server 8.5.5.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
- IBM HTTP Server 8.5.5.21 with interim fix PH50316 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.
| Security APAR | APAR | Description |
| ✓ | PH35771 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641) https://www.ibm.com/support/pages/node/6463587 |
| PH31169 | Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH | |
| PH31409 | Can't set SSLV3TIMEOUT with TLS13 | |
| PH32229 | Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E | |
| PH33679 | SSLCLientAuth doesn't work with 'noverify' and 'crl' together | |
| PH34420 | Server fails to start when SSLCipherSpec 30 is set in httpd.conf | |
| PH35915 | Upgrade bundled GSKit security library to 8.0.55.21 | |
| PH36870 | Disable the TLS protocols TLSv10 and TLSv11 by default |
Notes:
- IBM HTTP Server 8.5.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48
- IBM HTTP Server 8.5.5.20 with interim fix PH40343 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
- If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
- IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since z/OS Ported Tools has been withdrawn from service.
Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 15 February 2021 Last modified: 15 February 2021 Status: Superseded Download Fix Pack 19 | |
| Security APAR | APAR | Description |
| PI82834 | Add a simple PCT alternative for IBM HTTP Server with Liberty | |
| PH27739 | SSL0401E during 'apachectl stop' | |
| PH27781 | Backport the GlobalLog directive to IHS 8.5.5 | |
| PH28389 | install_ihs fails when an alias is used for 'ls' | |
| PH29026 | setupadmn fails if existing target user is not specified in /etc/passwd. | |
| PH30270 | Allow SSL IOVEC merging to be disabled | |
| PH30598 | Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange. | |
| PH30795 | Delays with large PKCS11 key stores (GSKit upgrade to 8.0.55.19) | |
| PH30854 | Rewrite backreference escaping needs flexibility |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 28 September 2020 Last modified: 28 September 2020 Status: Superseded Download Fix Pack 18 | |
| Security APAR | APAR | Description |
| ✓ | PH21992 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934) https://www.ibm.com/support/pages/node/6191631 |
| PH20970 | Improve Request header modification flexibility | |
| PH21717 | Relax hostname validation in IBM HTTP Server | |
| PH21804 | SSL0212E with TLS1.3 when SSLV3Timeout expires (GSKit upgrade only to 8.0.55.13) | |
| PH23551 | CGI error handling improvement | |
| PH23596 | bin/rotatelogs not shipped with program control | |
| PH24262 | postinst reports wrong port number | |
| PH24265 | Allow mpmstats to write to zOS system log | |
| PH24493 | SSL0209E with IHS 9.0.5.2 and later (GSKit upgrade only to 8.0.55.15) | |
| PH26048 | Add additional information to AH01220 for CGI script timeout |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
| Security APAR | APAR | Description |
| ✓ | PH14974 | Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098) https://www.ibm.com/support/pages/node/964768 |
| PH13105 | Upgrade bundled GSKit security library | |
| PH14990 | Content-Encoding header not changed correctly by mod_deflate | |
| PH17056 | Request for dataset with encoded characters returns 404 when using SAFRunAsEarly (z/OS only) | |
| PH17652 | Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server | |
| PH19074 | Provide extended diagnostics for SSL0279E errors |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 03 September 2019 Last modified: 03 September 2019 Status: Superseded Download Fix Pack 16IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue. | |
| Security APAR | APAR | Description |
| ✓ | PH09869 | Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220) https://www-01.ibm.com/support/docview.wss?uid=ibm10880413 |
| PH05560 | Using multiple environment variables in a directive doesn't work | |
| PH05852 | Allow headers to be unset using regex | |
| PH07089 | Suppress parsing of $-prefixed variables in SSI (embeds). (z/OS only) | |
| PH07275 | Unable to change service description of an 'IBM HTTP Server' service on Windows | |
| PH07691 | IHS 8.5.5.14 replaces 64-bit Solaris binaries with 32-bit. | |
| PH10089 | install-ihs -group should make more directories group writeable | |
| PH10103 | Enable RLimitCPU on z/OS | |
| PH10382 | Enable TLSV1.2 under SSLFIPSEnable |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Fix release date: 04 March 2019 Last modified: 04 March 2019 Status: Superseded Download Fix Pack 15This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH08053 / UI61402. | |
Note: This is the final z/OS PTF for IBM HTTP Server 8.5.5. IBM Ported Tools for z/OS was withdrawn from service on September 30, 2018, so there will be no more deliveries for it. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
| Security APAR | APAR | Description |
| PI98146 | Only create rewrite map lock if RewriteMaps are used | |
| PI98147 | Print unparsed URI in the 'URI incorrectly encoded' error message | |
| PI99032 | SSL alerts not showing in log messages | |
| PI99394 | Startup messages not switching to Errorlog (z/OS only) | |
| PI99567 | HTTPProtocolOptions improvements | |
| PI99685 | HTTPProtocolOptions=unsafe should allow a space in a header | |
| PH00889 | LeaveWorkUnit errors with mod_wlm (z/OS only) | |
| PH01222 | Timeout setting for OCSP on IBM HTTP Server | |
| PH01302 | Accept SHA2 cert chains in LDAP connections | |
| PH02746 | Add modern signature algorithms to SSLProxyEngine by default | |
| PH04673 | Remove 'http header X-pad' | |
| PH05008 | Accept SHA2 certs in mod_ibm_ldap | |
| PH05575 | Postinst logs unexpected message when failed to find an FQDN |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
| Fix release date: 20 August 2018 Last modified: 20 August 2018 Status: Superseded Download Fix Pack 14This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH01159 / UI57810. | |
| Security APAR | APAR | Description |
| ✓ | PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
| ✓ | PI94222 | Multiple vulnerabilities in GSKit bundled with IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22015347 |
| ✓ | PI95670 | Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301) http://www-01.ibm.com/support/docview.wss?uid=swg22015344 |
| PI91075 | Add environment variable to record "SSLVersion" failure | |
| PI91351 | Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical | |
| PI91850 | MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only) | |
| PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. | |
| PI92017 | Include CGI program name when writing stderr to the error log when using mod_cgi | |
| PI92053 | Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept(). | |
| PI92092 | FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only) | |
| PI92407 | Log startup message for low 64-bit MEMLIMIT | |
| PI93212 | Throttle SSL0600E error messages | |
| PI93624 | Increase default LDAPSharedCacheSize | |
| PI94050 | High CPU/Hang with IHS mod_auth_basic LDAP | |
| PI94539 | mod_proxy_http does not allow headers larger than 8K bytes. | |
| PI95610 | Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so. | |
| PI95964 | Add mod_cgi directive to allow users to configure timeouts for CGI applications. | |
| PI95983 | Allow Content-Type to be edited via the Header directive. | |
| PI96321 | Update embedded LDAP SDK to 6.4.x | |
| PI97314 | Add mod_backtrace for Windows |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.14 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
| Fix release date: 05 February 2018 Last modified: 05 February 2018 Status: Superseded Download Fix Pack 13This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI93091 / UI53558. | |
| Security APAR | APAR | Description |
| ✓ | PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
| ✓ | PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| ✓ | PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| PI83257 | Reduce memory usage from long mod_rewrite configurations. | |
| PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) | |
| PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. | |
| PI85478 | Disable symmetric offload by default when IHS is configured to use a crypto card. | |
| PI85561 | SSL Fallback Protection related errors with SSLProxyEngine ON | |
| PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials | |
| PI85804 | Improve password failure error messages in authnz_saf | |
| PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. | |
| PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. | |
| PI88550 | Allow IHS instance on z/OS to swing to an alternate read-only directory. | |
| PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. | |
| PI90141 | IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84 | |
| PI90834 | abendoc4 in apr_pstrcat using saf-change-pw handler (z/OS only) |
Note: IBM HTTP Server 8.5.5.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
| Fix release date: 21 July 2017 Last modified: 21 July 2017 Status: Superseded  Download Fix Pack 12This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI84253 / UI48698. | |
| Security APAR | APAR | Description |
| ✓ | PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg21996847 |
| ✓ | PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
| ✓ | PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
| PI69182 | IBM HTTP Server SSL cipher defaults may be displayed incorrectly on z/OS | |
| PI70947 | Newlines are consumed when an MVSDS dataset's content type is not set to text/* or application/x-javascript. | |
| PI72027 | IHS rewrite rule on IPV6 does not redirect correctly. | |
| PI72350 | Fix potential crash in mod_mem_cache in IHS 8.5 and earlier. | |
| PI72989 | Hangs related to mod_backtrace and mod_whatkilledus during a crash. | |
| PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf. | |
| PI73043 | Upgrade bundled GSKit security library | |
| PI73661 | Session ID Daemon (sidd) memory leak | |
| PI73819 | Allow an extended syntax for the SSLCipherSpec directive on z/OS (z/OS only) | |
| PI74119 | Delayed closure of keepalive connections during graceful process termination on z/OS. (z/OS only) | |
| PI74200 | Connection resets under heavy load when connecting to IHS on z/OS. (z/OS only) | |
| PI75341 | /server-status doesn't display client IP until first request is read | |
| PI76757 | Allow SSL handshake transcripts to be enabled or disabled | |
| PI76874 | Further enhancements to PI50937 high cpu avoidance | |
| PI76918 | 'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only) | |
| PI77304 | VersionInfo shows Java 6 after install of IBM HTTP Server 8.5.5.11 with Java 8.0 | |
| PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in an HTTP 400 error. | |
| PI78767 | HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier. | |
| PI78967 | Allow CEEDUMPS to be requested with kill -USR2 (z/OS only) | |
| PI80187 | Redirect functionality not working as expected for MVSDS requests (z/OS only) | |
| PI80356 | Upgrade bundled GSKit security library | |
| PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) | |
| PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names | |
| PI81589 | Use ECHDE_RSA ciphers by default under TLS1.2 in IBM HTTP Server 8.0 and 8.5 | |
| PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) |
Note: IBM HTTP Server 8.5.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32, plus some of the security fixes from 2.2.33.
| Fix release date: 23 December 2016 Last modified: 23 December 2016 Status: Superseded  Download Fix Pack 11This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI73335 / UI43131. | |
| Security APAR | APAR | Description |
| ✓ | PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
| ✓ | PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
| PI66153 | XML datasets with no XML extension cause error under mod_mvsds (z/OS only) | |
| PI66183 | When MFA is configured, SAFRunAs fails with a permission error (z/OS only) | |
| PI66695 | mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed' | |
| PI66787 | Session cache daemon (sidd) memory leak | |
| PI66931 | Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance. | |
| PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) | |
| PI68001 | Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only) | |
| PI68803 | IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only) | |
| PI70024 | Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging | |
| PI70372 | mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'. | |
| PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. | |
| PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes | |
| PI71340 | Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8. |
Note: IBM HTTP Server 8.5.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 15 August 2016 Last modified: 15 August 2016 Status: Superseded  Download Fix Pack 10This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI66501 / UI39727. | |
| Security APAR | APAR | Description |
| ✓ | PI63098 | CVE-2016-0718 for IBM HTTP Server (Distributed only) http://www-01.ibm.com/support/docview.wss?&uid=swg21988026 |
| PI53754 | Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created. (z/OS only) | |
| PI54415 | Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error | |
| PI54757 | Delay allocating an IHS thread until data is available on a new inbound TCP connection. | |
| PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only) | |
| PI56034 | No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS. | |
| PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) | |
| PI57596 | CRIHS0001I may contain garbage information or not pick up HTTPS port. (z/OS only) | |
| PI57657 | INSTCONFPARTIALSUCCESS when the IBM HTTP Server installer cannot determine a local hostname. | |
| PI58218 | IBM HTTP Server 'mod_cache' fixes. | |
| PI59374 | Certificate expiration reporting for IBM HTTP Server. | |
| PI59561 | Add pre/post password hooks to mod_authnz_saf. (z/OS only) | |
| PI60207 | Upgrade bundled GSKit security library to 8.0.50.61 (Distributed only) | |
| PI60251 | mod_mvsds writes content as binary instead of text/plain. (z/OS only) | |
| PI60784 | IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled. (Distributed only) | |
| PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) | |
| PI63482 | Add a private header with password change information for 401 response. | |
| PI63682 | IHS mod_status displays many 'NULL' strings in request column. | |
| PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) | |
| PI64628 | IBM HTTP Server on Z/OS is deleting the wrong IPC message queue (z/OS only) |
Note: IBM HTTP Server 8.5.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 18 March 2016 Last modified: 18 March 2016 Status: Superseded  Download Fix Pack 9This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI58575 / UI35897. | |
| Security APAR | APAR | Description |
| ✓ | PI52395 | CVE-2015-7420 for IBM HTTP Server (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?uid=swg21974507 |
| ✓ | PI54962 | CVE-2016-0201 for IBM HTTP Server (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?uid=swg21974507 |
| PI40885 | The 'SAFRunAs' directive implicitly requires access to the "OMVSAPPL" class in some RACF configurations (z/OS only) {The initial fix was in 8.5.5.7, but was not effective until additional updates in this fixpack.} | |
| PI47828 | IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only) | |
| PI48695 | DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only) | |
| PI49165 | Add new request time logging formats | |
| PI49473 | IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin | |
| PI49718 | Improve error_log reporting for 'SSLProxyEngine' handshake errors | |
| PI49791 | Add the IfFile directive to allow processing directives based on file existence. | |
| PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) | |
| PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) | |
| PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries | |
| PI50937 | Alleviate looping between SSL and GSKit (IBM Global Security Kit) | |
| PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching | |
| PI52299 | TLS_FALLBACK_SCSV support for IBM HTTP Server |
Note: IBM HTTP Server 8.5.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 11 December 2015 Last modified: 11 December 2015 Status: Superseded  Download Fix Pack 8This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI52859 / UI33171. | |
| Security APAR | APAR | Description |
| PI45005 | Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid | |
| PI45562 | Add a message to indicate the IBM HTTP Server is ready | |
| PI45740 | Encoding error on RewriteRule | |
| PI46559 | The setupadm script on Linux fails to use an existing group without the -create parameter | |
| PI46616 | Allow RewriteRule to use colon (':') in header names and values | |
| PI46868 | REXX CGI'S may display as text in the browser | |
| PI47198 | IHS caching partial response for chunked responses | |
| PI47605 | Support -t -DDUMP_SSL_CONFIG and -t -DDUMP_SSL_CIPHERS on Microsoft Windows | |
| PI47642 | Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel |
Note: IBM HTTP Server 8.5.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 11 September 2015 Last modified: 11 September 2015 Status: Superseded  Download Fix Pack 7This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI47832 / UI30752. | |
| Security APAR | APAR | Description |
| ✓ | PI39833 | CVE-2015-1829 for IBM HTTP Server on Windows http://www-01.ibm.com/support/docview.wss?uid=swg21959081 |
| ✓ | PI42928 | CVE-2015-3183 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21963361 |
| ✓ | PI44793 | CVE-2015-4947 for IBM HTTP Server Administration Server http://www-01.ibm.com/support/docview.wss?uid=swg21965419 |
| ✓ | PI44809 | CVE-2015-1788 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21963362 |
| ✓ | PI45596 | CVE-2015-1283 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21964428 |
| PI38322 | Allow mod_cache to ignore an 'Authorization' HTTP request header | |
| PI38562 | CGI resources are briefly unavailable just after a restart | |
| PI38828 | Enable unified config dump | |
| PI38835 | IBM HTTP Server cannot log time-to-first-byte (TTFB) | |
| PI39439 | DGW-style SSL environment variables are not set | |
| PI40952 | Preserve quoting in SSLServerCert directive |
Note: IBM HTTP Server 8.5.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
| Fix release date: 26 June 2015 Last modified: 26 June 2015 Status: Superseded  Download Fix Pack 6This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI43067 / UI28569. | |
| Security APAR | APAR | Description |
| ✓ | PI36417 | CVE-2015-0138 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21698959 |
| ✓ | PI34229 | Disable RC4-based TLS ciphers by default in IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?uid=swg21701072 |
| PI32452 | Userid on 'require saf-user' statement doesn't work when specified as lower case (z/OS only) | |
| PI32841 | Some cipher names and keysizes are not logged when using %(SSL_CIPHER)e in LogFormat for access log. | |
| PI33039 | EDC5170I error happens when running CGI script in Apache server with WLM enabled on z/OS | |
| PI33527 | SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF'. | |
| PI34017 | HTTP error 413 on static files results in a duplicate error message. | |
| PI35073 | IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in. | |
| PI35219 | ABEND0C1 when running install_ihs on z/OS | |
| PI35519 | cgiparse incorrectly handles POST request bodies on z/OS | |
| PI39284 | Error continues to appear in HAPALLO2 JCL after PI25264 (z/OS only) |
Note: IBM HTTP Server 8.5.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 13 March 2015 Last modified: 13 March 2015 Status: Superseded  Download Fix Pack 5This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI36674 / UI25968. | |
| Security APAR | APAR | Description |
| ✓ | PI31516 | CVE-2014-8730: Enable strict CBC padding checks on TLS connections http://www-01.ibm.com/support/docview.wss?&uid=swg21697368 |
| PI28735 | ErrorDocument redirection for status code 414 (Request URI too long) does not work | |
| PI30041 | mod_deflate_z gives no indication if hardware offload was used (z/OS only) | |
| PI30093 | Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server configuration global | |
| PI30323 | Add support for dual-mode ECDSA/RSA SSL virtual hosts | |
| PI31566 | Allow IBM HTTP Server RLimit* directives to reduce hard limits | |
| PI31802 | APR_POLLSET_ADD failure - ERRNO2=0X76650000 (z/OS only) |
Note: IBM HTTP Server 8.5.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 08 December 2014 Last modified: 08 December 2014 Status: Superseded  Download Fix Pack 4This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI30622 / UI23545. | |
| Security APAR | APAR | Description |
| ✓ | PI22070 | Multiple Apache web server vulnerabilities: CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core) http://www-01.ibm.com/support/docview.wss?&uid=swg21690185 |
| ✓ | PI27904 | IBM HTTP Server should disable weak SSL protocols and ciphers by default |
| PI19013 | Missing version.signature file after the installation of Apache HTTP Server -FMID HHAP85P (z/OS only) | |
| PI19580 | mod_reqtimeout: Potential for unexpected timeouts in IBM HTTP Server 8.5.5 on z/OS when using RequestReadTimeout (z/OS only) | |
| PI19581 | IBM HTTP Server modules specified without a path don't load | |
| PI21655 | mod_mvsds: 404 returned when attempting to browse a member of a PDS dataset using MVSDS (z/OS only) | |
| PI23005 | Allow logging of time taken during SSL handshake | |
| PI24257 | 'Header edit* ...' directive not accepted by IBM HTTP Server | |
| PI24424 | Add support for zEnterprise Data Compression (zEDC) offload for IBM HTTP Server. (z/OS only) | |
| PI24782 | mod_smf module only writes smf type 103 subtype 14 records when debug is turned on. (z/OS only) | |
| PI24990 | Add mpmstats info to console. (z/OS only) | |
| PI25124 | Install of PTF UI20159 does not update product files 14/09/19 PTF PECHANGE (z/OS only) | |
| PI25264 | Error appears in HAPALLO2 JCL (z/OS only) | |
| PI25783 | Fatal getpwuid() error at IBM HTTP Server startup (z/OS only) | |
| PI26507 | mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only) | |
| PI26894 | Increase security libraries to resolve high CPU loop on 64bit Microsoft Windows (GSKit upgrade to 8.0.50.34) |
Note: IBM HTTP Server 8.5.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
| Fix release date: 18 August 2014 Last modified: 18 August 2014 Status: Superseded  Download Fix Pack 3This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI21538 / UI20159. | |
| Security APAR | APAR | Description |
| ✓ | PI13028 | CVE-2014-0098: mod_log_config - Potential denial of service vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21681249 |
| ✓ | PI17025 | CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL (includes GSKit upgrade) http://www-01.ibm.com/support/docview.wss?&uid=swg21681249 |
| ✓ | PI19700 | CVE-2014-0076: Local side-channel attack on ECDSA (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?&uid=swg21681249 |
| PI13422 | Memory leak in GSKit 8.0.50 (GSKit upgrade) | |
| PI13949 | MVSDS request does not release shared ENQ (z/OS only) | |
| PI14451 | IHS with SSLFIPSENABLE reports error code 53817451 at startup (z/OS only) | |
| PI15344 | IBM HTTP Server caching issues | |
| PI16599 | Authentication failure gives LDAP error for non-LDAP configurations | |
| PI17434 | SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only) |
Note: IBM HTTP Server 8.5.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.
| Fix release date: 28 April 2014 Last modified: 28 April 2014 Status: Superseded  Download Fix Pack 2This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI15962 / UI17041. | |
| Security APAR | APAR | Description |
| ✓ | PI05309 | CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21669554 |
| ✓ | PI09345 | CVE-2013-6438: Potential Denial of Service in mod_dav for IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?&uid=swg21669554 |
| ✓ | PI09443 | CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21669554 |
| PM94008 | Timed-out ldap bind and search failures on reused connections are not retried. | |
| PM94143 | Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only) | |
| PM94602 | ProxyRemote fails to work with SSL requests | |
| PM96039 | AcceptEx disablement notice should not appear in Microsoft Windows Event Viewer | |
| PM97650 | IBM HTTP Server does not send SIGTERM to fastCGI application | |
| PI04922 | IBM HTTP Server scaling/processing threads limited on 64-bit Microsoft Windows. | |
| PI06366 | IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6 | |
| PI07665 | IBM HTTP server 8.5 (Apache) on z/OS needs support of cgiparse and cgiutils from IHS 5.3 Domino Go Web Server. | |
| PI08502 | Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade). | |
| PI08715 | Potential mod_proxy crashes under load | |
| PI09344 | Missing version.signature file for 31-bit IBM HTTP Server on z/OS breaks 8.5.5 post-update process. |
Note: IBM HTTP Server 8.5.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.
| Fix release date: 11 November 2013 Last modified: 11 November 2013 Status: Superseded  Download Fix Pack 1 | |
| Security APAR | APAR | Description |
| ✓ | PM87808 | CVE-2013-1862: mod_rewrite vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21651880 |
| ✓ | PM89996 | CVE-2013-1896: mod_dav vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21651880 |
| PM84215 | mod_mpmstats may report incorrect values during startup or shutdown | |
| PM87247 | Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive | |
| PM89422 | IHS WebDAV requests slow on Windows | |
| PM91704 | Add mod_smf module for IBM HTTP Server (z/OS only) | |
| PM92105 | wlm enclave support fails on a child process without a unique job name (z/OS only) |
Note: IBM HTTP Server 8.5.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.25.
| Fix release date: 14 June 2013 Last modified: 14 June 2013 Status: Superseded  Download Refresh Pack 8.5.5 | |
| Security APAR | APAR | Description |
| ✓ | PM85211 | CVE-2013-0169: TLS Vulnerability (The fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 |
Note: IBM HTTP Server 8.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
| Fix release date: 15 April 2013 Last modified: 15 April 2013 Status: Superseded  Download Fix Pack 2 | |
| Security APAR | APAR | Description |
| ✓ | PM76110 | CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down |
| ✓ | PM80058 | CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360 |
| PM68347 | Z/OS IHS config for versions before 8.5 may not migrate as expected to 8.5 | |
| PM69188 | Installation of IBM HTTP Server V8.5 completes with a warning. Failure occurs because the system's hostname is not set. | |
| PM70591 | IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.' | |
| PM70994 | SSLFakeBasicAuth depends on LoadModule order | |
| PM71102 | <Location> settings don't affect some mod_negotiation generated content | |
| PM73304 | Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server | |
| PM75876 | The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules. | |
| PM77980 | IBM HTTP Server should not add the Server: header by default | |
| PM78087 | IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI} | |
| PM78144 | IBM HTTP Server large logformats cannot be correctly logged by piped loggers | |
| PM78434 | Provide end-to-end timeouts for SSL handshakes | |
| PM79015 | mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed' | |
| PM80235 | NIST SP800-131a support for IBM HTTP Server | |
| PM80260 | apr_pollset_add failure -errno2=0X11780494, or growing CPU usage on the listener thread in IHS child processes (z/OS only) |
Note: IBM HTTP Server 8.5.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
| Fix release date: 29 October 2012 Last modified: 29 October 2012 Status: Superseded  Download Fix Pack 1 | |
| Security APAR | APAR | Description |
| ✓ | PM66218 | Upgrade bundled GSKit security library http://www-01.ibm.com/support/docview.wss?&uid=swg21614265 |
| ✓ | PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site. |
| ✓ | PM72915 | TLS compression should be disabled by default in IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21611881 |
| PM62011 | mod_log_config: The wrong cookie can be logged | |
| PM63634 | admin.passwd file was reset after installing fixpack | |
| PM68007 | Non-root IBM HTTP Server install fails if primary group has no name | |
| PM71612 | Additional non-serviceable files added for IBM HTTP Server |
Note: IBM HTTP Server 8.5.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.0"}]
Was this topic helpful?
Document Information
Modified date:
15 December 2025
UID
swg27036410