About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 8.5. The following is a complete listing of fixes, with the most recent fix at the top.
Content
![]() Fix release date: 10 February 2025 Last modified: 10 February 2025 Status: Recommended |
Security APAR
|
APAR
|
Description
|
✓ | PH61893 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-38476 and more) |
✓ | PH62263 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-40725, CVE-2024-40898) |
PH61590 | Trigger operator console or CEEDUMP for children that are slow to exit during shutdown |
|
PH62717 | Restrict read permissions on files used to establish SysV shared memory | |
PH62889 | Instrument more Apache hooks with %{RH}e |
|
PH63077 | Port fixes from libexpat 2.6.3 | |
PH64037 | Backport fixes from expat-2.6.4 | |
PH64942 | GSKit 8.0.60.x toleration and non-libcurl CRL/OCSP client |
Notes:
- IBM HTTP Server 8.5.5.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.
![]() Fix release date: 29 July 2024 Last modified: 29 July 2024 Status: Superseded |
Security APAR
|
APAR
|
Description
|
✓ | PH59697 | IBM HTTP Server is vulnerable to a denial of service due to libexpat (CVE-2023-52425 CVSS 7.5). |
✓ | PH60619 | IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5). |
PH59012 | Fix possible crashes at the end of apachectl -t . z/OS only. |
|
PH59165 | bin/envvars in newly created IHS instances now enables HEAPPOOLS and HEAPPOOLS64 by default. z/OS only. |
|
PH60306 | Avoid crash during graceful exit after thread creation errors. | |
PH60645 | Stop reporting a generic SSL0212E for some obscure cases where SSLHandhsakeTimeout was explicitly triggered. |
|
PH60863 | Potential crash on Windows at shutdown or when exiting due to MaxRequestsPerChild . |
Notes:
- IBM HTTP Server 8.5.5.26 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.
![]() Fix release date: 19 February 2024 Last modified: 19 February 2024 Status: Superseded |
Security APAR
|
APAR
|
Description
|
PH55613 | Resolve some cases of "Configuration errors were detected during the installation" due to deleted files | |
PH56093 | IHS child processes crash leaks 1 message queue | |
PH56308 | Default ExtendedStatus to ON | |
PH56340 | Extended reporting of some startup errors | |
PH56383 | Connection not closed as expected after first response of HTTP request smuggling test | |
PH57408 | Log consecutive failing accept() calls and give the option to gracefully exit. z/OS only. |
Notes:
- IBM HTTP Server 8.5.5.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
- IBM HTTP Server 8.5.5.25 + IFPH60619 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
![]() Fix release date: 31 July 2023 Last modified: 31 July 2023 Status: Superseded |
Security APAR
|
APAR
|
Description
|
✓ | PH51982 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server and Apache Portable Runtime. |
✓ | PH52546 | IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342). |
✓ | PH52754 | IBM HTTP Server is vulnerable to a denial of service (CVE-2023-26281). |
✓ | PH53014 | IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690). |
PH44893 | Update GSKit to 8.0.55.31 for new RNG. | |
PH51473 | Remove RSA key exchange ciphers from defaults. | |
PH52642 | Improve error log message for invalid HTTP header name or value by identifying the first bad character. | |
PH53848 | Add %{tzoff}t alternative to %{%z}t on Windows. |
|
PH54015 | RewriteRule trailing question mark errors with IFPH53014 . |
|
PH54894 | Add OCSPCacheSize directive to control the OCSP cache size. |
|
PH55007 | bin/set_attributes.sh warning about chatr . |
Notes:
- IBM HTTP Server 8.5.5.24 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.57.
![]() Fix release date: 13 February 2023 Last modified: 13 February 2023 Status: Superseded |
Security APAR
|
APAR
|
Description
|
✓ | PH46897 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813, CVE-2022-28614). |
✓ | PH49572 | Update bundled expat for CVE-2022-40674. |
✓ | PH50316 | Update bundled expat for CVE-2022-43680, CVE-2017-9233, and CVE-2013-0340. |
PH47348 | Add KeepAliveTimeoutDelay to help avoid keepalive races. |
|
PH47518 | Report the average response time of active requests in the WAS plug-in along with WAS plug-in specific request states: TPCN, TPSB, TPWR, TPRB. | |
PH47792 | z/OS keepalive timeout is wrong for slow responses. | |
PH48168 | mod_authnz_saf rejects password with a single slash. | |
PH49311 | Upgrade GSKit to 8.0.55.29: TLSv1.3 client authentication failures with GNUTLS-based clients. |
Notes:
- IBM HTTP Server 8.5.5.23 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
Security APAR
|
APAR
|
Description
|
✓ | PH43122 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more)
|
✓ | PH44271 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236)
|
✓ | PH44829 |
Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721)
|
PH43696 | With SSLFIPSEnable and SSLProxyEngine enabled, handshakes may fail with GSK_ERROR_UNSUPPORTED . |
|
PH44114 | IHS may appear to hang if MaxRequestsPerChild is non-zero, because a replacement process will not be launched. |
|
PH44330 | IBM HTTP Server has unnecessary APF authorization on binary files. | |
PH46094 | Provide option to increase logging level of TrackHooksOptions logslow . |
Notes:
- IBM HTTP Server 8.5.5.22 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
Fix release date: 14 February 2022
Last modified: 21 February 2022 Status: Superseded ![]() |
Security APAR
|
APAR
|
Description
|
✓ | PH40343 | Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server |
PH22727 | Keepalive connections may be closed up to 100ms early | |
PH37899 | Enhance mod_whatkilledus to print backtraces | |
PH38515 | z/OS: ErrorDocuments that specify literal strings were not translated correctly from EBCDIC to ASCII | |
PH39660 | z/OS: IHS may crash at startup in the sigaction() system call | |
PH40832 | Upgrade GSKit to 8.0.55.25 | |
PH41075 | z/OS: When the IHS parent process crashes, the started task ends but other child processes are not automatically terminated | |
PH41413 | z/OS: Recover from a stale logs/httpd.pid file | |
PH41891 | Backport rotatelogs improvements from 9.0/2.4 | |
PH42030 | IHS may crash in the sidDelete function | |
PH42072 | Potential crash with LDAP: set_parent_child_pointers |
Notes:
- IBM HTTP Server 8.5.5.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
- IBM HTTP Server 8.5.5.21 with interim fix PH50316 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.
Security APAR | APAR | Description |
✓ | PH35771 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641) https://www.ibm.com/support/pages/node/6463587 |
PH31169 | Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH | |
PH31409 | Can't set SSLV3TIMEOUT with TLS13 | |
PH32229 | Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E | |
PH33679 | SSLCLientAuth doesn't work with 'noverify' and 'crl' together | |
PH34420 | Server fails to start when SSLCipherSpec 30 is set in httpd.conf | |
PH35915 | Upgrade bundled GSKit security library to 8.0.55.21 | |
PH36870 | Disable the TLS protocols TLSv10 and TLSv11 by default |
Notes:
- IBM HTTP Server 8.5.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48
- IBM HTTP Server 8.5.5.20 with interim fix PH40343 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
- If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
- IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since z/OS Ported Tools has been withdrawn from service.
Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 15 February 2021
Last modified: 15 February 2021 Status: Superseded ![]() |
Security APAR | APAR | Description |
PI82834 | Add a simple PCT alternative for IBM HTTP Server with Liberty | |
PH27739 | SSL0401E during 'apachectl stop' | |
PH27781 | Backport the GlobalLog directive to IHS 8.5.5 | |
PH28389 | install_ihs fails when an alias is used for 'ls' | |
PH29026 | setupadmn fails if existing target user is not specified in /etc/passwd. | |
PH30270 | Allow SSL IOVEC merging to be disabled | |
PH30598 | Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange. | |
PH30795 | Delays with large PKCS11 key stores (GSKit upgrade to 8.0.55.19) | |
PH30854 | Rewrite backreference escaping needs flexibility |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 28 September 2020
Last modified: 28 September 2020 Status: Superseded ![]() |
Security APAR | APAR | Description |
✓ | PH21992 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934) https://www.ibm.com/support/pages/node/6191631 |
PH20970 | Improve Request header modification flexibility | |
PH21717 | Relax hostname validation in IBM HTTP Server | |
PH21804 | SSL0212E with TLS1.3 when SSLV3Timeout expires (GSKit upgrade only to 8.0.55.13) | |
PH23551 | CGI error handling improvement | |
PH23596 | bin/rotatelogs not shipped with program control | |
PH24262 | postinst reports wrong port number | |
PH24265 | Allow mpmstats to write to zOS system log | |
PH24493 | SSL0209E with IHS 9.0.5.2 and later (GSKit upgrade only to 8.0.55.15) | |
PH26048 | Add additional information to AH01220 for CGI script timeout |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 09 March 2020
Last modified: 09 March 2020 Status: Superseded ![]() |
Security APAR | APAR | Description |
✓ | PH14974 | Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098) https://www.ibm.com/support/pages/node/964768 |
PH13105 | Upgrade bundled GSKit security library | |
PH14990 | Content-Encoding header not changed correctly by mod_deflate | |
PH17056 | Request for dataset with encoded characters returns 404 when using SAFRunAsEarly (z/OS only) |
|
PH17652 | Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server | |
PH19074 | Provide extended diagnostics for SSL0279E errors |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Fix release date: 03 September 2019
Last modified: 03 September 2019 Status: Superseded ![]() IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue. |
Security APAR | APAR | Description |
✓ | PH09869 | Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220) https://www-01.ibm.com/support/docview.wss?uid=ibm10880413 |
PH05560 | Using multiple environment variables in a directive doesn't work | |
PH05852 | Allow headers to be unset using regex | |
PH07089 | Suppress parsing of $-prefixed variables in SSI (embeds). (z/OS only) | |
PH07275 | Unable to change service description of an 'IBM HTTP Server' service on Windows | |
PH07691 | IHS 8.5.5.14 replaces 64-bit Solaris binaries with 32-bit. | |
PH10089 | install-ihs -group should make more directories group writeable | |
PH10103 | Enable RLimitCPU on z/OS | |
PH10382 | Enable TLSV1.2 under SSLFIPSEnable |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Fix release date: 04 March 2019
Last modified: 04 March 2019 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH08053 / UI61402. |
Note: This is the final z/OS PTF for IBM HTTP Server 8.5.5. IBM Ported Tools for z/OS was withdrawn from service on September 30, 2018, so there will be no more deliveries for it. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.
Security APAR | APAR | Description |
PI98146 | Only create rewrite map lock if RewriteMaps are used | |
PI98147 | Print unparsed URI in the 'URI incorrectly encoded' error message | |
PI99032 | SSL alerts not showing in log messages | |
PI99394 | Startup messages not switching to Errorlog (z/OS only) | |
PI99567 | HTTPProtocolOptions improvements | |
PI99685 | HTTPProtocolOptions=unsafe should allow a space in a header | |
PH00889 | LeaveWorkUnit errors with mod_wlm (z/OS only) | |
PH01222 | Timeout setting for OCSP on IBM HTTP Server | |
PH01302 | Accept SHA2 cert chains in LDAP connections | |
PH02746 | Add modern signature algorithms to SSLProxyEngine by default | |
PH04673 | Remove 'http header X-pad' | |
PH05008 | Accept SHA2 certs in mod_ibm_ldap | |
PH05575 | Postinst logs unexpected message when failed to find an FQDN |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Fix release date: 20 August 2018 Last modified: 20 August 2018 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH01159 / UI57810. |
Security APAR | APAR | Description |
✓ | PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
✓ | PI94222 | Multiple vulnerabilities in GSKit bundled with IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22015347 |
✓ | PI95670 | Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301) http://www-01.ibm.com/support/docview.wss?uid=swg22015344 |
PI91075 | Add environment variable to record "SSLVersion" failure | |
PI91351 | Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical | |
PI91850 | MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only) | |
PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. | |
PI92017 | Include CGI program name when writing stderr to the error log when using mod_cgi | |
PI92053 | Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept(). | |
PI92092 | FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only) | |
PI92407 | Log startup message for low 64-bit MEMLIMIT | |
PI93212 | Throttle SSL0600E error messages | |
PI93624 | Increase default LDAPSharedCacheSize | |
PI94050 | High CPU/Hang with IHS mod_auth_basic LDAP | |
PI94539 | mod_proxy_http does not allow headers larger than 8K bytes. | |
PI95610 | Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so. | |
PI95964 | Add mod_cgi directive to allow users to configure timeouts for CGI applications. | |
PI95983 | Allow Content-Type to be edited via the Header directive. | |
PI96321 | Update embedded LDAP SDK to 6.4.x | |
PI97314 | Add mod_backtrace for Windows |
Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.
Note: IBM HTTP Server 8.5.5.14 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Fix release date: 05 February 2018 Last modified: 05 February 2018 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI93091 / UI53558. |
Security APAR | APAR | Description |
✓ | PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
✓ | PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
✓ | PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
PI83257 | Reduce memory usage from long mod_rewrite configurations. | |
PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) | |
PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. | |
PI85478 | Disable symmetric offload by default when IHS is configured to use a crypto card. | |
PI85561 | SSL Fallback Protection related errors with SSLProxyEngine ON | |
PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials | |
PI85804 | Improve password failure error messages in authnz_saf | |
PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. | |
PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. | |
PI88550 | Allow IHS instance on z/OS to swing to an alternate read-only directory. | |
PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. | |
PI90141 | IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84 | |
PI90834 | abendoc4 in apr_pstrcat using saf-change-pw handler (z/OS only) |
Note: IBM HTTP Server 8.5.5.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.
Fix release date: 21 July 2017 Last modified: 21 July 2017 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI84253 / UI48698. |
Security APAR | APAR | Description |
✓ | PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg21996847 |
✓ | PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
✓ | PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280 |
PI69182 | IBM HTTP Server SSL cipher defaults may be displayed incorrectly on z/OS | |
PI70947 | Newlines are consumed when an MVSDS dataset's content type is not set to text/* or application/x-javascript. | |
PI72027 | IHS rewrite rule on IPV6 does not redirect correctly. | |
PI72350 | Fix potential crash in mod_mem_cache in IHS 8.5 and earlier. | |
PI72989 | Hangs related to mod_backtrace and mod_whatkilledus during a crash. | |
PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf. | |
PI73043 | Upgrade bundled GSKit security library | |
PI73661 | Session ID Daemon (sidd) memory leak | |
PI73819 | Allow an extended syntax for the SSLCipherSpec directive on z/OS (z/OS only) | |
PI74119 | Delayed closure of keepalive connections during graceful process termination on z/OS. (z/OS only) | |
PI74200 | Connection resets under heavy load when connecting to IHS on z/OS. (z/OS only) | |
PI75341 | /server-status doesn't display client IP until first request is read | |
PI76757 | Allow SSL handshake transcripts to be enabled or disabled | |
PI76874 | Further enhancements to PI50937 high cpu avoidance | |
PI76918 | 'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only) | |
PI77304 | VersionInfo shows Java 6 after install of IBM HTTP Server 8.5.5.11 with Java 8.0 | |
PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in an HTTP 400 error. | |
PI78767 | HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier. | |
PI78967 | Allow CEEDUMPS to be requested with kill -USR2 (z/OS only) | |
PI80187 | Redirect functionality not working as expected for MVSDS requests (z/OS only) | |
PI80356 | Upgrade bundled GSKit security library | |
PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) | |
PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names | |
PI81589 | Use ECHDE_RSA ciphers by default under TLS1.2 in IBM HTTP Server 8.0 and 8.5 | |
PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) |
Note: IBM HTTP Server 8.5.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32, plus some of the security fixes from 2.2.33.
Fix release date: 23 December 2016 Last modified: 23 December 2016 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI73335 / UI43131. |
Security APAR | APAR | Description |
✓ | PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
✓ | PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
PI66153 | XML datasets with no XML extension cause error under mod_mvsds (z/OS only) | |
PI66183 | When MFA is configured, SAFRunAs fails with a permission error (z/OS only) | |
PI66695 | mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed' | |
PI66787 | Session cache daemon (sidd) memory leak | |
PI66931 | Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance. | |
PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) | |
PI68001 | Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only) | |
PI68803 | IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only) | |
PI70024 | Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging | |
PI70372 | mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'. | |
PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. | |
PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes | |
PI71340 | Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8. |
Note: IBM HTTP Server 8.5.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 15 August 2016 Last modified: 15 August 2016 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI66501 / UI39727. |
Security APAR | APAR | Description |
✓ | PI63098 | CVE-2016-0718 for IBM HTTP Server (Distributed only) http://www-01.ibm.com/support/docview.wss?&uid=swg21988026 |
PI53754 | Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created. (z/OS only) | |
PI54415 | Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error | |
PI54757 | Delay allocating an IHS thread until data is available on a new inbound TCP connection. | |
PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only) | |
PI56034 | No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS. | |
PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) | |
PI57596 | CRIHS0001I may contain garbage information or not pick up HTTPS port. (z/OS only) | |
PI57657 | INSTCONFPARTIALSUCCESS when the IBM HTTP Server installer cannot determine a local hostname. | |
PI58218 | IBM HTTP Server 'mod_cache' fixes. | |
PI59374 | Certificate expiration reporting for IBM HTTP Server. | |
PI59561 | Add pre/post password hooks to mod_authnz_saf. (z/OS only) | |
PI60207 | Upgrade bundled GSKit security library to 8.0.50.61 (Distributed only) | |
PI60251 | mod_mvsds writes content as binary instead of text/plain. (z/OS only) | |
PI60784 | IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled. (Distributed only) | |
PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) | |
PI63482 | Add a private header with password change information for 401 response. | |
PI63682 | IHS mod_status displays many 'NULL' strings in request column. | |
PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) | |
PI64628 | IBM HTTP Server on Z/OS is deleting the wrong IPC message queue (z/OS only) |
Note: IBM HTTP Server 8.5.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 18 March 2016 Last modified: 18 March 2016 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI58575 / UI35897. |
Security APAR | APAR | Description |
✓ | PI52395 | CVE-2015-7420 for IBM HTTP Server (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?uid=swg21974507 |
✓ | PI54962 | CVE-2016-0201 for IBM HTTP Server (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?uid=swg21974507 |
PI40885 | The 'SAFRunAs' directive implicitly requires access to the "OMVSAPPL" class in some RACF configurations (z/OS only) {The initial fix was in 8.5.5.7, but was not effective until additional updates in this fixpack.} |
|
PI47828 | IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only) | |
PI48695 | DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only) | |
PI49165 | Add new request time logging formats | |
PI49473 | IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin | |
PI49718 | Improve error_log reporting for 'SSLProxyEngine' handshake errors | |
PI49791 | Add the IfFile directive to allow processing directives based on file existence. | |
PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) | |
PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) | |
PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries | |
PI50937 | Alleviate looping between SSL and GSKit (IBM Global Security Kit) | |
PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching | |
PI52299 | TLS_FALLBACK_SCSV support for IBM HTTP Server |
Note: IBM HTTP Server 8.5.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 11 December 2015 Last modified: 11 December 2015 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI52859 / UI33171. |
Security APAR | APAR | Description |
PI45005 | Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid | |
PI45562 | Add a message to indicate the IBM HTTP Server is ready | |
PI45740 | Encoding error on RewriteRule | |
PI46559 | The setupadm script on Linux fails to use an existing group without the -create parameter | |
PI46616 | Allow RewriteRule to use colon (':') in header names and values | |
PI46868 | REXX CGI'S may display as text in the browser | |
PI47198 | IHS caching partial response for chunked responses | |
PI47605 | Support -t -DDUMP_SSL_CONFIG and -t -DDUMP_SSL_CIPHERS on Microsoft Windows | |
PI47642 | Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel |
Note: IBM HTTP Server 8.5.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 11 September 2015 Last modified: 11 September 2015 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI47832 / UI30752. |
Security APAR | APAR | Description |
✓ | PI39833 | CVE-2015-1829 for IBM HTTP Server on Windows http://www-01.ibm.com/support/docview.wss?uid=swg21959081 |
✓ | PI42928 | CVE-2015-3183 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21963361 |
✓ | PI44793 | CVE-2015-4947 for IBM HTTP Server Administration Server http://www-01.ibm.com/support/docview.wss?uid=swg21965419 |
✓ | PI44809 | CVE-2015-1788 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21963362 |
✓ | PI45596 | CVE-2015-1283 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21964428 |
PI38322 | Allow mod_cache to ignore an 'Authorization' HTTP request header | |
PI38562 | CGI resources are briefly unavailable just after a restart | |
PI38828 | Enable unified config dump | |
PI38835 | IBM HTTP Server cannot log time-to-first-byte (TTFB) | |
PI39439 | DGW-style SSL environment variables are not set | |
PI40952 | Preserve quoting in SSLServerCert directive |
Note: IBM HTTP Server 8.5.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.
Fix release date: 26 June 2015 Last modified: 26 June 2015 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI43067 / UI28569. |
Security APAR | APAR | Description |
✓ | PI36417 | CVE-2015-0138 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21698959 |
✓ | PI34229 | Disable RC4-based TLS ciphers by default in IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?uid=swg21701072 |
PI32452 | Userid on 'require saf-user' statement doesn't work when specified as lower case (z/OS only) | |
PI32841 | Some cipher names and keysizes are not logged when using %(SSL_CIPHER)e in LogFormat for access log. | |
PI33039 | EDC5170I error happens when running CGI script in Apache server with WLM enabled on z/OS | |
PI33527 | SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF'. | |
PI34017 | HTTP error 413 on static files results in a duplicate error message. | |
PI35073 | IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in. | |
PI35219 | ABEND0C1 when running install_ihs on z/OS | |
PI35519 | cgiparse incorrectly handles POST request bodies on z/OS | |
PI39284 | Error continues to appear in HAPALLO2 JCL after PI25264 (z/OS only) |
Note: IBM HTTP Server 8.5.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
Fix release date: 13 March 2015 Last modified: 13 March 2015 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI36674 / UI25968. |
Security APAR | APAR | Description |
✓ | PI31516 | CVE-2014-8730: Enable strict CBC padding checks on TLS connections http://www-01.ibm.com/support/docview.wss?&uid=swg21697368 |
PI28735 | ErrorDocument redirection for status code 414 (Request URI too long) does not work | |
PI30041 | mod_deflate_z gives no indication if hardware offload was used (z/OS only) | |
PI30093 | Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server configuration global | |
PI30323 | Add support for dual-mode ECDSA/RSA SSL virtual hosts | |
PI31566 | Allow IBM HTTP Server RLimit* directives to reduce hard limits | |
PI31802 | APR_POLLSET_ADD failure - ERRNO2=0X76650000 (z/OS only) |
Note: IBM HTTP Server 8.5.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
Fix release date: 08 December 2014 Last modified: 08 December 2014 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI30622 / UI23545. |
Security APAR | APAR | Description |
✓ | PI22070 | Multiple Apache web server vulnerabilities: CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core) http://www-01.ibm.com/support/docview.wss?&uid=swg21690185 |
✓ | PI27904 | IBM HTTP Server should disable weak SSL protocols and ciphers by default |
PI19013 | Missing version.signature file after the installation of Apache HTTP Server -FMID HHAP85P (z/OS only) |
|
PI19580 | mod_reqtimeout: Potential for unexpected timeouts in IBM HTTP Server 8.5.5 on z/OS when using RequestReadTimeout (z/OS only) | |
PI19581 | IBM HTTP Server modules specified without a path don't load | |
PI21655 | mod_mvsds: 404 returned when attempting to browse a member of a PDS dataset using MVSDS (z/OS only) | |
PI23005 | Allow logging of time taken during SSL handshake | |
PI24257 | 'Header edit* ...' directive not accepted by IBM HTTP Server | |
PI24424 | Add support for zEnterprise Data Compression (zEDC) offload for IBM HTTP Server. (z/OS only) | |
PI24782 | mod_smf module only writes smf type 103 subtype 14 records when debug is turned on. (z/OS only) | |
PI24990 | Add mpmstats info to console. (z/OS only) | |
PI25124 | Install of PTF UI20159 does not update product files 14/09/19 PTF PECHANGE (z/OS only) | |
PI25264 | Error appears in HAPALLO2 JCL (z/OS only) | |
PI25783 | Fatal getpwuid() error at IBM HTTP Server startup (z/OS only) | |
PI26507 | mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only) | |
PI26894 | Increase security libraries to resolve high CPU loop on 64bit Microsoft Windows (GSKit upgrade to 8.0.50.34) |
Note: IBM HTTP Server 8.5.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.
Fix release date: 18 August 2014 Last modified: 18 August 2014 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI21538 / UI20159. |
Security APAR | APAR | Description |
✓ | PI13028 | CVE-2014-0098: mod_log_config - Potential denial of service vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21681249 |
✓ | PI17025 | CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL (includes GSKit upgrade) http://www-01.ibm.com/support/docview.wss?&uid=swg21681249 |
✓ | PI19700 | CVE-2014-0076: Local side-channel attack on ECDSA (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?&uid=swg21681249 |
PI13422 | Memory leak in GSKit 8.0.50 (GSKit upgrade) | |
PI13949 | MVSDS request does not release shared ENQ (z/OS only) | |
PI14451 | IHS with SSLFIPSENABLE reports error code 53817451 at startup (z/OS only) | |
PI15344 | IBM HTTP Server caching issues | |
PI16599 | Authentication failure gives LDAP error for non-LDAP configurations | |
PI17434 | SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only) |
Note: IBM HTTP Server 8.5.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.
Fix release date: 28 April 2014 Last modified: 28 April 2014 Status: Superseded ![]() This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI15962 / UI17041. |
Security APAR | APAR | Description |
✓ | PI05309 | CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21669554 |
✓ | PI09345 | CVE-2013-6438: Potential Denial of Service in mod_dav for IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?&uid=swg21669554 |
✓ | PI09443 | CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21669554 |
PM94008 | Timed-out ldap bind and search failures on reused connections are not retried. | |
PM94143 | Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only) | |
PM94602 | ProxyRemote fails to work with SSL requests | |
PM96039 | AcceptEx disablement notice should not appear in Microsoft Windows Event Viewer | |
PM97650 | IBM HTTP Server does not send SIGTERM to fastCGI application | |
PI04922 | IBM HTTP Server scaling/processing threads limited on 64-bit Microsoft Windows. | |
PI06366 | IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6 | |
PI07665 | IBM HTTP server 8.5 (Apache) on z/OS needs support of cgiparse and cgiutils from IHS 5.3 Domino Go Web Server. | |
PI08502 | Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade). | |
PI08715 | Potential mod_proxy crashes under load | |
PI09344 | Missing version.signature file for 31-bit IBM HTTP Server on z/OS breaks 8.5.5 post-update process. |
Note: IBM HTTP Server 8.5.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.
Fix release date: 11 November 2013 Last modified: 11 November 2013 Status: Superseded ![]() |
Security APAR | APAR | Description |
✓ | PM87808 | CVE-2013-1862: mod_rewrite vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21651880 |
✓ | PM89996 | CVE-2013-1896: mod_dav vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21651880 |
PM84215 | mod_mpmstats may report incorrect values during startup or shutdown | |
PM87247 | Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive | |
PM89422 | IHS WebDAV requests slow on Windows | |
PM91704 | Add mod_smf module for IBM HTTP Server (z/OS only) | |
PM92105 | wlm enclave support fails on a child process without a unique job name (z/OS only) |
Note: IBM HTTP Server 8.5.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.25.
Fix release date: 14 June 2013 Last modified: 14 June 2013 Status: Superseded ![]() |
Security APAR | APAR | Description |
✓ | PM85211 | CVE-2013-0169: TLS Vulnerability (The fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902 |
Note: IBM HTTP Server 8.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
Fix release date: 15 April 2013 Last modified: 15 April 2013 Status: Superseded ![]() |
Security APAR | APAR | Description |
✓ | PM76110 | CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down |
✓ | PM80058 | CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360 |
PM68347 | Z/OS IHS config for versions before 8.5 may not migrate as expected to 8.5 | |
PM69188 | Installation of IBM HTTP Server V8.5 completes with a warning. Failure occurs because the system's hostname is not set. | |
PM70591 | IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.' | |
PM70994 | SSLFakeBasicAuth depends on LoadModule order | |
PM71102 | <Location> settings don't affect some mod_negotiation generated content | |
PM73304 | Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server | |
PM75876 | The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules. | |
PM77980 | IBM HTTP Server should not add the Server: header by default | |
PM78087 | IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI} | |
PM78144 | IBM HTTP Server large logformats cannot be correctly logged by piped loggers | |
PM78434 | Provide end-to-end timeouts for SSL handshakes | |
PM79015 | mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed' | |
PM80235 | NIST SP800-131a support for IBM HTTP Server | |
PM80260 | apr_pollset_add failure -errno2=0X11780494, or growing CPU usage on the listener thread in IHS child processes (z/OS only) |
Note: IBM HTTP Server 8.5.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.
Fix release date: 29 October 2012 Last modified: 29 October 2012 Status: Superseded ![]() |
Security APAR | APAR | Description |
✓ | PM66218 | Upgrade bundled GSKit security library http://www-01.ibm.com/support/docview.wss?&uid=swg21614265 |
✓ | PM66470 | CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site. |
✓ | PM72915 | TLS compression should be disabled by default in IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21611881 |
PM62011 | mod_log_config: The wrong cookie can be logged | |
PM63634 | admin.passwd file was reset after installing fixpack | |
PM68007 | Non-root IBM HTTP Server install fails if primary group has no name | |
PM71612 | Additional non-serviceable files added for IBM HTTP Server |
Note: IBM HTTP Server 8.5.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.0"}]
Was this topic helpful?
Document Information
More support for:
IBM HTTP Server
Component:
IHS
Software version:
8.5.0
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS
Document number:
602529
Modified date:
07 February 2025
UID
swg27036410
Manage My Notification Subscriptions