IBM Support

Fix list for IBM HTTP Server Version 8.5

Product Documentation


Abstract

IBM HTTP Server provides periodic fixes for release 8.5. The following is a complete listing of fixes, with the most recent fix at the top.

Content

Back to all versions

Fix release date: 25 July 2022
Last modified: 25 July 2022
Status: Recommended

Download Fix Pack 22
 
Security APAR
APAR
Description
PH43122
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more)
PH44271
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236)
PH44829
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721)
PH43696 With SSLFIPSEnable and SSLProxyEngine enabled, handshakes may fail with GSK_ERROR_UNSUPPORTED.
PH44114 IHS may appear to hang if MaxRequestsPerChild is non-zero, because a replacement process will not be launched.
PH44330 IBM HTTP Server has unnecessary APF authorization on binary files.
PH46094 Provide option to increase logging level of TrackHooksOptions logslow.


Notes:

  • IBM HTTP Server 8.5.5.22 with interim fix PH50316 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.
Fix release date: 14 February 2022
Last modified: 21 February 2022
Status: Superseded

Download Fix Pack 21
Security APAR
APAR
Description
PH40343 Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server
PH22727 Keepalive connections may be closed up to 100ms early
PH37899 Enhance mod_whatkilledus to print backtraces
PH38515 z/OS: ErrorDocuments that specify literal strings were not translated correctly from EBCDIC to ASCII
PH39660 z/OS: IHS may crash at startup in the sigaction() system call 
PH40832 Upgrade GSKit to 8.0.55.25
PH41075 z/OS: When the IHS parent process crashes, the started task ends but other child processes are not automatically terminated
PH41413 z/OS: Recover from a stale logs/httpd.pid file
PH41891 Backport rotatelogs improvements from 9.0/2.4
PH42030 IHS may crash in the sidDelete function
PH42072 Potential crash with LDAP: set_parent_child_pointers


Notes:

  • IBM HTTP Server 8.5.5.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
  • IBM HTTP Server 8.5.5.21 with interim fix PH50316 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.
Fix release date: 26 July 2021
Last modified: 26 July 2021
Status: Superseded

Download Fix Pack 20

Security APAR APAR Description
PH35771 Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641)
https://www.ibm.com/support/pages/node/6463587
PH31169 Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH
PH31409 Can't set SSLV3TIMEOUT with TLS13
PH32229 Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E
PH33679 SSLCLientAuth doesn't work with 'noverify' and 'crl' together
PH34420 Server fails to start when SSLCipherSpec 30 is set in httpd.conf
PH35915 Upgrade bundled GSKit security library to 8.0.55.21
PH36870 Disable the TLS protocols TLSv10 and TLSv11 by default


Notes:

  • IBM HTTP Server 8.5.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48
  • IBM HTTP Server 8.5.5.20 with interim fix PH40343 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
  • If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
  • IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since z/OS Ported Tools has been withdrawn from service. 
    Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Fix release date: 15 February 2021
Last modified: 15 February 2021
Status: Superseded

Download Fix Pack 19

Security APAR APAR Description
PI82834 Add a simple PCT alternative for IBM HTTP Server with Liberty
PH27739 SSL0401E during 'apachectl stop'
PH27781 Backport the GlobalLog directive to IHS 8.5.5
PH28389 install_ihs fails when an alias is used for 'ls'
PH29026 setupadmn fails if existing target user is not specified in /etc/passwd.
PH30270 Allow SSL IOVEC merging to be disabled
PH30598 Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange.
PH30795 Delays with large PKCS11 key stores (GSKit upgrade to 8.0.55.19)
PH30854 Rewrite backreference escaping needs flexibility


Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service.  Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Fix release date: 28 September 2020
Last modified: 28 September 2020
Status: Superseded

Download Fix Pack 18
 

Security APAR APAR Description
PH21992 Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934)
https://www.ibm.com/support/pages/node/6191631
PH20970 Improve Request header modification flexibility
PH21717 Relax hostname validation in IBM HTTP Server
PH21804 SSL0212E with TLS1.3 when SSLV3Timeout expires  (GSKit upgrade only to 8.0.55.13)
PH23551 CGI error handling improvement
PH23596 bin/rotatelogs not shipped with program control
PH24262 postinst reports wrong port number
PH24265 Allow mpmstats to write to zOS system log
PH24493 SSL0209E with IHS 9.0.5.2 and later  (GSKit upgrade only to 8.0.55.15)
PH26048 Add additional information to AH01220 for CGI script timeout


Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service.  Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Fix release date: 09 March 2020
Last modified: 09 March 2020
Status: Superseded

Download Fix Pack 17

Security APAR APAR Description
PH14974 Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098)
https://www.ibm.com/support/pages/node/964768
PH13105 Upgrade bundled GSKit security library
PH14990 Content-Encoding header not changed correctly by mod_deflate
PH17056 Request for dataset with encoded characters returns 404 when using SAFRunAsEarly
(z/OS only)
PH17652 Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server
PH19074 Provide extended diagnostics for SSL0279E errors


Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service.  Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Fix release date: 03 September 2019
Last modified: 03 September 2019
Status: Superseded

Download Fix Pack 16

IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service.  Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Security APAR APAR Description
PH09869 Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220)
https://www-01.ibm.com/support/docview.wss?uid=ibm10880413
PH05560 Using multiple environment variables in a directive doesn't work
PH05852 Allow headers to be unset using regex
PH07089 Suppress parsing of $-prefixed variables in SSI (embeds).  (z/OS only)
PH07275 Unable to change service description of an 'IBM HTTP Server' service on Windows
PH07691 IHS 8.5.5.14 replaces 64-bit Solaris binaries with 32-bit.
PH10089 install-ihs -group should make more directories group writeable
PH10103 Enable RLimitCPU on z/OS
PH10382 Enable TLSV1.2 under SSLFIPSEnable


Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix release date: 04 March 2019
Last modified: 04 March 2019
Status: Superseded

Download Fix Pack 15

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH08053 / UI61402.

Note: This is the final z/OS PTF for IBM HTTP Server 8.5.5.  IBM Ported Tools for z/OS was withdrawn from service on September 30, 2018, so there will be no more deliveries for it.  Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Security APAR APAR Description
PI98146 Only create rewrite map lock if RewriteMaps are used
PI98147 Print unparsed URI in the 'URI incorrectly encoded' error message
PI99032 SSL alerts not showing in log messages
PI99394 Startup messages not switching to Errorlog (z/OS only)
PI99567 HTTPProtocolOptions improvements
PI99685 HTTPProtocolOptions=unsafe should allow a space in a header
PH00889 LeaveWorkUnit errors with mod_wlm (z/OS only)
PH01222 Timeout setting for OCSP on IBM HTTP Server
PH01302 Accept SHA2 cert chains in LDAP connections
PH02746 Add modern signature algorithms to SSLProxyEngine by default
PH04673 Remove 'http header X-pad'
PH05008 Accept SHA2 certs in mod_ibm_ldap
PH05575 Postinst logs unexpected message when failed to find an FQDN


Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix release date: 20 August 2018
Last modified: 20 August 2018
Status: Superseded

Download Fix Pack 14

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH01159 / UI57810.

Security APAR APAR Description
PI90598 CVE-2017-12613 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg22013598
PI94222 Multiple vulnerabilities in GSKit bundled with IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg22015347
PI95670 Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301)
http://www-01.ibm.com/support/docview.wss?uid=swg22015344
PI91075 Add environment variable to record "SSLVersion" failure
PI91351 Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical
PI91850 MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only)
PI91975 The 'Header unset Content-Type' directive does not unset the Content-Type response header.
PI92017 Include CGI program name when writing stderr to the error log when using mod_cgi
PI92053 Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept().
PI92092 FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only)
PI92407 Log startup message for low 64-bit MEMLIMIT
PI93212 Throttle SSL0600E error messages
PI93624 Increase default LDAPSharedCacheSize
PI94050 High CPU/Hang with IHS mod_auth_basic LDAP
PI94539 mod_proxy_http does not allow headers larger than 8K bytes.
PI95610 Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so.
PI95964 Add mod_cgi directive to allow users to configure timeouts for CGI applications.
PI95983 Allow Content-Type to be edited via the Header directive.
PI96321 Update embedded LDAP SDK to 6.4.x
PI97314 Add mod_backtrace for Windows


Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.14 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix release date: 05 February 2018
Last modified: 05 February 2018
Status: Superseded

Download Fix Pack 13

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI93091 / UI53558.

Security APAR APAR Description
PI82481 CVE-2017-7679 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg22005280
PI87445 CVE-2017-9798 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg22009782
PI87663 CVE-2017-12618 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg22009782
PI83257 Reduce memory usage from long mod_rewrite configurations.
PI83350 Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only)
PI84868 Disable the 3DES cipher by default in IBM HTTP Server.
PI85478 Disable symmetric offload by default when IHS is configured to use a crypto card.
PI85561 SSL Fallback Protection related errors with SSLProxyEngine ON
PI85702 SAFRunAs %%CERTIF%% asks for basic auth credentials
PI85804 Improve password failure error messages in authnz_saf
PI88232 Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984.
PI88356 Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults.
PI88550 Allow IHS instance on z/OS to swing to an alternate read-only directory.
PI88553 Print an error message that includes the errno and errno2 values if fail to find a specified saf-group.
PI90141 IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84
PI90834 abendoc4 in apr_pstrcat using saf-change-pw handler (z/OS only)


Note: IBM HTTP Server 8.5.5.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix release date: 21 July 2017
Last modified: 21 July 2017
Status: Superseded

Download Fix Pack 12

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI84253 / UI48698.

Security APAR APAR Description
PI73984 CVE-2016-8743 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?&uid=swg21996847
PI82260 CVE-2017-3167 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?&uid=swg22005280
PI82263 CVE-2017-7668 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?&uid=swg22005280
PI69182 IBM HTTP Server SSL cipher defaults may be displayed incorrectly on z/OS
PI70947 Newlines are consumed when an MVSDS dataset's content type is not set to text/* or application/x-javascript.
PI72027 IHS rewrite rule on IPV6 does not redirect correctly.
PI72350 Fix potential crash in mod_mem_cache in IHS 8.5 and earlier.
PI72989 Hangs related to mod_backtrace and mod_whatkilledus during a crash.
PI73027 Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf.
PI73043 Upgrade bundled GSKit security library
PI73661 Session ID Daemon (sidd) memory leak
PI73819 Allow an extended syntax for the SSLCipherSpec directive on z/OS (z/OS only)
PI74119 Delayed closure of keepalive connections during graceful process termination on z/OS. (z/OS only)
PI74200 Connection resets under heavy load when connecting to IHS on z/OS. (z/OS only)
PI75341 /server-status doesn't display client IP until first request is read
PI76757 Allow SSL handshake transcripts to be enabled or disabled
PI76874 Further enhancements to PI50937 high cpu avoidance
PI76918 'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only)
PI77304 VersionInfo shows Java 6 after install of IBM HTTP Server 8.5.5.11 with Java 8.0
PI78442 Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in an HTTP 400 error.
PI78767 HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier.
PI78967 Allow CEEDUMPS to be requested with kill -USR2 (z/OS only)
PI80187 Redirect functionality not working as expected for MVSDS requests (z/OS only)
PI80356 Upgrade bundled GSKit security library
PI80447 Disable MMAP for static files by default on z/OS (z/OS only)
PI81360 Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names
PI81589 Use ECHDE_RSA ciphers by default under TLS1.2 in IBM HTTP Server 8.0 and 8.5
PI81602 Issues with updating SAF password when using Firefox or Chrome (z/OS only)


Note: IBM HTTP Server 8.5.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32, plus some of the security fixes from 2.2.33.

Fix release date: 23 December 2016
Last modified: 23 December 2016
Status: Superseded

Download Fix Pack 11

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI73335 / UI43131.

Security APAR APAR Description
PI65855 CVE-2016-5387 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21988019
PI66849 CVE-2012-0876, CVE-2012-1148, CVE-2016-4472
expat vulnerability fixes for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21988026
PI66153 XML datasets with no XML extension cause error under mod_mvsds (z/OS only)
PI66183 When MFA is configured, SAFRunAs fails with a permission error (z/OS only)
PI66695 mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed'
PI66787 Session cache daemon (sidd) memory leak
PI66931 Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance.
PI67595 AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only)
PI68001 Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only)
PI68803 IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only)
PI70024 Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging
PI70372 mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'.
PI70496 Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost.
PI70829 Provide additional message information for IBM HTTP Server TLS handshakes
PI71340 Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8.


Note: IBM HTTP Server 8.5.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 15 August 2016
Last modified: 15 August 2016
Status: Superseded

Download Fix Pack 10

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI66501 / UI39727.

Security APAR APAR Description
PI63098 CVE-2016-0718 for IBM HTTP Server (Distributed only)
http://www-01.ibm.com/support/docview.wss?&uid=swg21988026
PI53754 Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created. (z/OS only)
PI54415 Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error
PI54757 Delay allocating an IHS thread until data is available on a new inbound TCP connection.
PI54808 RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only)
PI56034 No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS.
PI57543 Allow one address space per rotatelogs process to be conserved. (z/OS only)
PI57596 CRIHS0001I may contain garbage information or not pick up HTTPS port. (z/OS only)
PI57657 INSTCONFPARTIALSUCCESS when the IBM HTTP Server installer cannot determine a local hostname.
PI58218 IBM HTTP Server 'mod_cache' fixes.
PI59374 Certificate expiration reporting for IBM HTTP Server.
PI59561 Add pre/post password hooks to mod_authnz_saf. (z/OS only)
PI60207 Upgrade bundled GSKit security library to 8.0.50.61 (Distributed only)
PI60251 mod_mvsds writes content as binary instead of text/plain. (z/OS only)
PI60784 IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled. (Distributed only)
PI62663 Some Server Side Includes (SSI) may not be translated as expected (z/OS only)
PI63482 Add a private header with password change information for 401 response.
PI63682 IHS mod_status displays many 'NULL' strings in request column.
PI64346 SetEnvIf may be skipped with SAF auth enabled (z/OS only)
PI64628 IBM HTTP Server on Z/OS is deleting the wrong IPC message queue (z/OS only)


Note: IBM HTTP Server 8.5.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 18 March 2016
Last modified: 18 March 2016
Status: Superseded

Download Fix Pack 9

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI58575 / UI35897.

Security APAR APAR Description
PI52395 CVE-2015-7420 for IBM HTTP Server (GSKit upgrade)
http://www-01.ibm.com/support/docview.wss?uid=swg21974507
PI54962 CVE-2016-0201 for IBM HTTP Server (GSKit upgrade)
http://www-01.ibm.com/support/docview.wss?uid=swg21974507
PI40885 The 'SAFRunAs' directive implicitly requires access to the "OMVSAPPL" class in some RACF configurations (z/OS only)
{The initial fix was in 8.5.5.7, but was not effective until additional updates in this fixpack.}
PI47828 IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only)
PI48695 DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only)
PI49165 Add new request time logging formats
PI49473 IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin
PI49718 Improve error_log reporting for 'SSLProxyEngine' handshake errors
PI49791 Add the IfFile directive to allow processing directives based on file existence.
PI50376 DGW compatibility for DOCUMENT_* CGI variables. (z/OS only)
PI50397 No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only)
PI50514 SSL session ID cache daemon (SIDD) creates unnecessary entries
PI50937 Alleviate looping between SSL and GSKit (IBM Global Security Kit)
PI51185 Enhancements allowing use of SAFRunAsEarly for certificate switching
PI52299 TLS_FALLBACK_SCSV support for IBM HTTP Server


Note: IBM HTTP Server 8.5.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 11 December 2015
Last modified: 11 December 2015
Status: Superseded

Download Fix Pack 8

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI52859 / UI33171.

Security APAR APAR Description
PI45005 Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid
PI45562 Add a message to indicate the IBM HTTP Server is ready
PI45740 Encoding error on RewriteRule
PI46559 The setupadm script on Linux fails to use an existing group without the -create parameter
PI46616 Allow RewriteRule to use colon (':') in header names and values
PI46868 REXX CGI'S may display as text in the browser
PI47198 IHS caching partial response for chunked responses
PI47605 Support -t -DDUMP_SSL_CONFIG and -t -DDUMP_SSL_CIPHERS on Microsoft Windows
PI47642 Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel


Note: IBM HTTP Server 8.5.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 11 September 2015
Last modified: 11 September 2015
Status: Superseded

Download Fix Pack 7

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI47832 / UI30752.

Security APAR APAR Description
PI39833 CVE-2015-1829 for IBM HTTP Server on Windows
http://www-01.ibm.com/support/docview.wss?uid=swg21959081
PI42928 CVE-2015-3183 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21963361
PI44793 CVE-2015-4947 for IBM HTTP Server Administration Server
http://www-01.ibm.com/support/docview.wss?uid=swg21965419
PI44809 CVE-2015-1788 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21963362
PI45596 CVE-2015-1283 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21964428
PI38322 Allow mod_cache to ignore an 'Authorization' HTTP request header
PI38562 CGI resources are briefly unavailable just after a restart
PI38828 Enable unified config dump
PI38835 IBM HTTP Server cannot log time-to-first-byte (TTFB)
PI39439 DGW-style SSL environment variables are not set
PI40952 Preserve quoting in SSLServerCert directive


Note: IBM HTTP Server 8.5.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix release date: 26 June 2015
Last modified: 26 June 2015
Status: Superseded

Download Fix Pack 6

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI43067 / UI28569.

Security APAR APAR Description
PI36417 CVE-2015-0138 for IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21698959
PI34229 Disable RC4-based TLS ciphers by default in IBM HTTP Server.
http://www-01.ibm.com/support/docview.wss?uid=swg21701072
PI32452 Userid on 'require saf-user' statement doesn't work when specified as lower case (z/OS only)
PI32841 Some cipher names and keysizes are not logged when using %(SSL_CIPHER)e in LogFormat for access log.
PI33039 EDC5170I error happens when running CGI script in Apache server with WLM enabled on z/OS
PI33527 SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF'.
PI34017 HTTP error 413 on static files results in a duplicate error message.
PI35073 IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in.
PI35219 ABEND0C1 when running install_ihs on z/OS
PI35519 cgiparse incorrectly handles POST request bodies on z/OS
PI39284 Error continues to appear in HAPALLO2 JCL after PI25264 (z/OS only)


Note: IBM HTTP Server 8.5.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix release date: 13 March 2015
Last modified: 13 March 2015
Status: Superseded

Download Fix Pack 5

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI36674 / UI25968.

Security APAR APAR Description
PI31516 CVE-2014-8730: Enable strict CBC padding checks on TLS connections
http://www-01.ibm.com/support/docview.wss?&uid=swg21697368
PI28735 ErrorDocument redirection for status code 414 (Request URI too long) does not work
PI30041 mod_deflate_z gives no indication if hardware offload was used (z/OS only)
PI30093 Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server configuration global
PI30323 Add support for dual-mode ECDSA/RSA SSL virtual hosts
PI31566 Allow IBM HTTP Server RLimit* directives to reduce hard limits
PI31802 APR_POLLSET_ADD failure - ERRNO2=0X76650000 (z/OS only)


Note: IBM HTTP Server 8.5.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix release date: 08 December 2014
Last modified: 08 December 2014
Status: Superseded

Download Fix Pack 4

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI30622 / UI23545.

Security APAR APAR Description
PI22070 Multiple Apache web server vulnerabilities:
CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core)
http://www-01.ibm.com/support/docview.wss?&uid=swg21690185
PI27904 IBM HTTP Server should disable weak SSL protocols and ciphers by default
PI19013 Missing version.signature file after the installation of Apache HTTP Server -FMID HHAP85P
(z/OS only)
PI19580 mod_reqtimeout: Potential for unexpected timeouts in IBM HTTP Server 8.5.5 on z/OS when using RequestReadTimeout (z/OS only)
PI19581 IBM HTTP Server modules specified without a path don't load
PI21655 mod_mvsds: 404 returned when attempting to browse a member of a PDS dataset using MVSDS (z/OS only)
PI23005 Allow logging of time taken during SSL handshake
PI24257 'Header edit* ...' directive not accepted by IBM HTTP Server
PI24424 Add support for zEnterprise Data Compression (zEDC) offload for IBM HTTP Server. (z/OS only)
PI24782 mod_smf module only writes smf type 103 subtype 14 records when debug is turned on. (z/OS only)
PI24990 Add mpmstats info to console. (z/OS only)
PI25124 Install of PTF UI20159 does not update product files 14/09/19 PTF PECHANGE (z/OS only)
PI25264 Error appears in HAPALLO2 JCL (z/OS only)
PI25783 Fatal getpwuid() error at IBM HTTP Server startup (z/OS only)
PI26507 mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only)
PI26894 Increase security libraries to resolve high CPU loop on 64bit Microsoft Windows
(GSKit upgrade to 8.0.50.34)


Note: IBM HTTP Server 8.5.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix release date: 18 August 2014
Last modified: 18 August 2014
Status: Superseded

Download Fix Pack 3

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI21538 / UI20159.

Security APAR APAR Description
PI13028 CVE-2014-0098: mod_log_config - Potential denial of service vulnerability
http://www-01.ibm.com/support/docview.wss?&uid=swg21681249
PI17025 CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL (includes GSKit upgrade)
http://www-01.ibm.com/support/docview.wss?&uid=swg21681249
PI19700 CVE-2014-0076: Local side-channel attack on ECDSA (GSKit upgrade)
http://www-01.ibm.com/support/docview.wss?&uid=swg21681249
PI13422 Memory leak in GSKit 8.0.50 (GSKit upgrade)
PI13949 MVSDS request does not release shared ENQ (z/OS only)
PI14451 IHS with SSLFIPSENABLE reports error code 53817451 at startup (z/OS only)
PI15344 IBM HTTP Server caching issues
PI16599 Authentication failure gives LDAP error for non-LDAP configurations
PI17434 SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only)


Note: IBM HTTP Server 8.5.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.

Fix release date: 28 April 2014
Last modified: 28 April 2014
Status: Superseded

Download Fix Pack 2

This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI15962 / UI17041.

Security APAR APAR Description
PI05309 CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade).
http://www-01.ibm.com/support/docview.wss?&uid=swg21669554
PI09345 CVE-2013-6438: Potential Denial of Service in mod_dav for IBM HTTP Server.
http://www-01.ibm.com/support/docview.wss?&uid=swg21669554
PI09443 CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade).
http://www-01.ibm.com/support/docview.wss?&uid=swg21669554
PM94008 Timed-out ldap bind and search failures on reused connections are not retried.
PM94143 Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only)
PM94602 ProxyRemote fails to work with SSL requests
PM96039 AcceptEx disablement notice should not appear in Microsoft Windows Event Viewer
PM97650 IBM HTTP Server does not send SIGTERM to fastCGI application
PI04922 IBM HTTP Server scaling/processing threads limited on 64-bit Microsoft Windows.
PI06366 IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6
PI07665 IBM HTTP server 8.5 (Apache) on z/OS needs support of cgiparse and cgiutils from IHS 5.3 Domino Go Web Server.
PI08502 Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade).
PI08715 Potential mod_proxy crashes under load
PI09344 Missing version.signature file for 31-bit IBM HTTP Server on z/OS breaks 8.5.5 post-update process.


Note: IBM HTTP Server 8.5.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.

Fix release date: 11 November 2013
Last modified: 11 November 2013
Status: Superseded

Download Fix Pack 1

Security APAR APAR Description
PM87808 CVE-2013-1862: mod_rewrite vulnerability
http://www-01.ibm.com/support/docview.wss?&uid=swg21651880
PM89996 CVE-2013-1896: mod_dav vulnerability
http://www-01.ibm.com/support/docview.wss?&uid=swg21651880
PM84215 mod_mpmstats may report incorrect values during startup or shutdown
PM87247 Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive
PM89422 IHS WebDAV requests slow on Windows
PM91704 Add mod_smf module for IBM HTTP Server (z/OS only)
PM92105 wlm enclave support fails on a child process without a unique job name (z/OS only)


Note: IBM HTTP Server 8.5.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.25.

Fix release date: 14 June 2013
Last modified: 14 June 2013
Status: Superseded

Download Refresh Pack 8.5.5

Security APAR APAR Description
PM85211 CVE-2013-0169: TLS Vulnerability (The fix upgrades the bundled GSKit security library)
https://exchange.xforce.ibmcloud.com/vulnerabilities/81902


Note: IBM HTTP Server 8.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.

Fix release date: 15 April 2013
Last modified: 15 April 2013
Status: Superseded

Download Fix Pack 2

Security APAR APAR Description
PM76110 CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down
PM80058 CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules
https://exchange.xforce.ibmcloud.com/vulnerabilities/82359
https://exchange.xforce.ibmcloud.com/vulnerabilities/82360
PM68347 Z/OS IHS config for versions before 8.5 may not migrate as expected to 8.5
PM69188 Installation of IBM HTTP Server V8.5 completes with a warning. Failure occurs because the system's hostname is not set.
PM70591 IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.'
PM70994 SSLFakeBasicAuth depends on LoadModule order
PM71102 <Location> settings don't affect some mod_negotiation generated content
PM73304 Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server
PM75876 The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules.
PM77980 IBM HTTP Server should not add the Server: header by default
PM78087 IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI}
PM78144 IBM HTTP Server large logformats cannot be correctly logged by piped loggers
PM78434 Provide end-to-end timeouts for SSL handshakes
PM79015 mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed'
PM80235 NIST SP800-131a support for IBM HTTP Server
PM80260 apr_pollset_add failure -errno2=0X11780494, or growing CPU usage on the listener thread in IHS child processes (z/OS only)


Note: IBM HTTP Server 8.5.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.

Fix release date: 29 October 2012
Last modified: 29 October 2012
Status: Superseded

Download Fix Pack 1

Security APAR APAR Description
PM66218 Upgrade bundled GSKit security library
http://www-01.ibm.com/support/docview.wss?&uid=swg21614265
PM66470 CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site.
PM72915 TLS compression should be disabled by default in IBM HTTP Server
http://www-01.ibm.com/support/docview.wss?uid=swg21611881
PM62011 mod_log_config: The wrong cookie can be logged
PM63634 admin.passwd file was reset after installing fixpack
PM68007 Non-root IBM HTTP Server install fails if primary group has no name
PM71612 Additional non-serviceable files added for IBM HTTP Server


Note: IBM HTTP Server 8.5.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.0"}]

Document Information

Modified date:
01 December 2022

UID

swg27036410