Fix list for IBM HTTP Server Version 8.5

Product Documentation

Abstract

IBM HTTP Server provides periodic fixes for release 8.5. The following is a complete listing of fixes, with the most recent fix at the top.

Content

	Back to all versions

IBM HTTP Server 8.5.5.27
Download Fix Pack 8.5.5.27 Fix release date: 10 February 2025 Last modified: 10 February 2025 Status: Recommended	Back to Top

Security APAR	APAR	Description
✓	PH61893	IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-38476 and more)
✓	PH62263	IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-40725, CVE-2024-40898)
	PH61590	Trigger operator console or `CEEDUMP` for children that are slow to exit during shutdown
	PH62717	Restrict read permissions on files used to establish SysV shared memory
	PH62889	Instrument more Apache hooks with `%{RH}e`
	PH63077	Port fixes from libexpat 2.6.3
	PH64037	Backport fixes from expat-2.6.4
	PH64942	GSKit 8.0.60.x toleration and non-libcurl CRL/OCSP client

Notes:

IBM HTTP Server 8.5.5.27 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.

IBM HTTP Server 8.5.5.26
Download Fix Pack 8.5.5.26 Fix release date: 29 July 2024 Last modified: 29 July 2024 Status: Superseded	Back to Top

Security APAR	APAR	Description
✓	PH59697	IBM HTTP Server is vulnerable to a denial of service due to `libexpat` (CVE-2023-52425 CVSS 7.5).
✓	PH60619	IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5).
	PH59012	Fix possible crashes at the end of `apachectl -t`. z/OS only.
	PH59165	`bin/envvars` in newly created IHS instances now enables `HEAPPOOLS` and `HEAPPOOLS64` by default. z/OS only.
	PH60306	Avoid crash during graceful exit after thread creation errors.
	PH60645	Stop reporting a generic `SSL0212E` for some obscure cases where `SSLHandhsakeTimeout` was explicitly triggered.
	PH60863	Potential crash on Windows at shutdown or when exiting due to `MaxRequestsPerChild`.

Notes:

IBM HTTP Server 8.5.5.26 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.

IBM HTTP Server 8.5.5.25
Download Fix Pack 8.5.5.25 Fix release date: 19 February 2024 Last modified: 19 February 2024 Status: Superseded	Back to Top

Security APAR	APAR	Description
	PH55613	Resolve some cases of "Configuration errors were detected during the installation" due to deleted files
	PH56093	IHS child processes crash leaks 1 message queue
	PH56308	Default ExtendedStatus to ON
	PH56340	Extended reporting of some startup errors
	PH56383	Connection not closed as expected after first response of HTTP request smuggling test
	PH57408	Log consecutive failing accept() calls and give the option to gracefully exit. z/OS only.

Notes:

IBM HTTP Server 8.5.5.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
IBM HTTP Server 8.5.5.25 + IFPH60619 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.

IBM HTTP Server 8.5.5.24
Download Fix Pack 8.5.5.24 Fix release date: 31 July 2023 Last modified: 31 July 2023 Status: Superseded	Back to Top

Security APAR	APAR	Description
✓	PH51982	IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server and Apache Portable Runtime.
✓	PH52546	IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342).
✓	PH52754	IBM HTTP Server is vulnerable to a denial of service (CVE-2023-26281).
✓	PH53014	IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690).
	PH44893	Update GSKit to 8.0.55.31 for new RNG.
	PH51473	Remove RSA key exchange ciphers from defaults.
	PH52642	Improve error log message for invalid HTTP header name or value by identifying the first bad character.
	PH53848	Add `%{tzoff}t` alternative to `%{%z}t` on Windows.
	PH54015	`RewriteRule` trailing question mark errors with `IFPH53014`.
	PH54894	Add `OCSPCacheSize` directive to control the OCSP cache size.
	PH55007	`bin/set_attributes.sh` warning about `chatr`.

Notes:

IBM HTTP Server 8.5.5.24 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.57.

IBM HTTP Server 8.5.5.23
Download Fix Pack 8.5.5.23 Fix release date: 13 February 2023 Last modified: 13 February 2023 Status: Superseded	Back to Top

Security APAR	APAR	Description
✓	PH46897	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813, CVE-2022-28614).
✓	PH49572	Update bundled expat for CVE-2022-40674.
✓	PH50316	Update bundled expat for CVE-2022-43680, CVE-2017-9233, and CVE-2013-0340.
	PH47348	Add `KeepAliveTimeoutDelay` to help avoid keepalive races.
	PH47518	Report the average response time of active requests in the WAS plug-in along with WAS plug-in specific request states: TPCN, TPSB, TPWR, TPRB.
	PH47792	z/OS keepalive timeout is wrong for slow responses.
	PH48168	mod_authnz_saf rejects password with a single slash.
	PH49311	Upgrade GSKit to 8.0.55.29: TLSv1.3 client authentication failures with GNUTLS-based clients.

Notes:

IBM HTTP Server 8.5.5.23 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56

Fix Pack 22 (8.5.5.22)
Fix release date: 25 July 2022 Last modified: 25 July 2022 Status: Superseded Download Fix Pack 22	Back to Top

Security APAR	APAR	Description
✓	PH43122	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more) https://www.ibm.com/support/pages/node/6557294
✓	PH44271	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236) https://www.ibm.com/support/pages/node/6538416
✓	PH44829	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721) https://www.ibm.com/support/pages/node/6560814
	PH43696	With `SSLFIPSEnable` and `SSLProxyEngine` enabled, handshakes may fail with `GSK_ERROR_UNSUPPORTED`.
	PH44114	IHS may appear to hang if `MaxRequestsPerChild` is non-zero, because a replacement process will not be launched.
	PH44330	IBM HTTP Server has unnecessary APF authorization on binary files.
	PH46094	Provide option to increase logging level of `TrackHooksOptions logslow`.

Notes:

IBM HTTP Server 8.5.5.22 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56

Fix Pack 21 (8.5.5.21)
Fix release date: 14 February 2022 Last modified: 21 February 2022 Status: Superseded Download Fix Pack 21	Back to Top

Security APAR	APAR	Description
✓	PH40343	Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server
	PH22727	Keepalive connections may be closed up to 100ms early
	PH37899	Enhance mod_whatkilledus to print backtraces
	PH38515	z/OS: ErrorDocuments that specify literal strings were not translated correctly from EBCDIC to ASCII
	PH39660	z/OS: IHS may crash at startup in the sigaction() system call
	PH40832	Upgrade GSKit to 8.0.55.25
	PH41075	z/OS: When the IHS parent process crashes, the started task ends but other child processes are not automatically terminated
	PH41413	z/OS: Recover from a stale logs/httpd.pid file
	PH41891	Backport rotatelogs improvements from 9.0/2.4
	PH42030	IHS may crash in the sidDelete function
	PH42072	Potential crash with LDAP: set_parent_child_pointers

Notes:

IBM HTTP Server 8.5.5.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
IBM HTTP Server 8.5.5.21 with interim fix PH50316 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.

Fix Pack 20 (8.5.5.20)
Fix release date: 26 July 2021 Last modified: 26 July 2021 Status: Superseded Download Fix Pack 20	Back to Top

Security APAR	APAR	Description
✓	PH35771	Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641) https://www.ibm.com/support/pages/node/6463587
	PH31169	Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH
	PH31409	Can't set SSLV3TIMEOUT with TLS13
	PH32229	Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E
	PH33679	SSLCLientAuth doesn't work with 'noverify' and 'crl' together
	PH34420	Server fails to start when SSLCipherSpec 30 is set in httpd.conf
	PH35915	Upgrade bundled GSKit security library to 8.0.55.21
	PH36870	Disable the TLS protocols TLSv10 and TLSv11 by default

Notes:

IBM HTTP Server 8.5.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48
IBM HTTP Server 8.5.5.20 with interim fix PH40343 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.
IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since z/OS Ported Tools has been withdrawn from service.
Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Fix Pack 19 (8.5.5.19)
Fix release date: 15 February 2021 Last modified: 15 February 2021 Status: Superseded Download Fix Pack 19	Back to Top

Security APAR	APAR	Description
	PI82834	Add a simple PCT alternative for IBM HTTP Server with Liberty
	PH27739	SSL0401E during 'apachectl stop'
	PH27781	Backport the GlobalLog directive to IHS 8.5.5
	PH28389	install_ihs fails when an alias is used for 'ls'
	PH29026	setupadmn fails if existing target user is not specified in /etc/passwd.
	PH30270	Allow SSL IOVEC merging to be disabled
	PH30598	Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange.
	PH30795	Delays with large PKCS11 key stores (GSKit upgrade to 8.0.55.19)
	PH30854	Rewrite backreference escaping needs flexibility

Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Note: IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Fix Pack 18 (8.5.5.18)
Fix release date: 28 September 2020 Last modified: 28 September 2020 Status: Superseded Download Fix Pack 18	Back to Top

Security APAR	APAR	Description
✓	PH21992	Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934) https://www.ibm.com/support/pages/node/6191631
	PH20970	Improve Request header modification flexibility
	PH21717	Relax hostname validation in IBM HTTP Server
	PH21804	SSL0212E with TLS1.3 when SSLV3Timeout expires (GSKit upgrade only to 8.0.55.13)
	PH23551	CGI error handling improvement
	PH23596	bin/rotatelogs not shipped with program control
	PH24262	postinst reports wrong port number
	PH24265	Allow mpmstats to write to zOS system log
	PH24493	SSL0209E with IHS 9.0.5.2 and later (GSKit upgrade only to 8.0.55.15)
	PH26048	Add additional information to AH01220 for CGI script timeout

Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix Pack 17 (8.5.5.17)
Fix release date: 09 March 2020 Last modified: 09 March 2020 Status: Superseded Download Fix Pack 17	Back to Top

Security APAR	APAR	Description
✓	PH14974	Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098) https://www.ibm.com/support/pages/node/964768
	PH13105	Upgrade bundled GSKit security library
	PH14990	Content-Encoding header not changed correctly by mod_deflate
	PH17056	Request for dataset with encoded characters returns 404 when using SAFRunAsEarly (z/OS only)
	PH17652	Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server
	PH19074	Provide extended diagnostics for SSL0279E errors

Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later replaces the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.17 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix Pack 16 (8.5.5.16)
Fix release date: 03 September 2019 Last modified: 03 September 2019 Status: Superseded Download Fix Pack 16 IHS 8.5.5 fixpacks no longer deliver z/OS PTFs for IBM Ported Tools on z/OS since it has been withdrawn from service. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.	Back to Top

Security APAR	APAR	Description
✓	PH09869	Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220) https://www-01.ibm.com/support/docview.wss?uid=ibm10880413
	PH05560	Using multiple environment variables in a directive doesn't work
	PH05852	Allow headers to be unset using regex
	PH07089	Suppress parsing of $-prefixed variables in SSI (embeds). (z/OS only)
	PH07275	Unable to change service description of an 'IBM HTTP Server' service on Windows
	PH07691	IHS 8.5.5.14 replaces 64-bit Solaris binaries with 32-bit.
	PH10089	install-ihs -group should make more directories group writeable
	PH10103	Enable RLimitCPU on z/OS
	PH10382	Enable TLSV1.2 under SSLFIPSEnable

Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix Pack 15 (8.5.5.15)
Fix release date: 04 March 2019 Last modified: 04 March 2019 Status: Superseded Download Fix Pack 15 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH08053 / UI61402.	Back to Top

Note: This is the final z/OS PTF for IBM HTTP Server 8.5.5. IBM Ported Tools for z/OS was withdrawn from service on September 30, 2018, so there will be no more deliveries for it. Installation Manager packages of IBM HTTP Server 8.5.5 for z/OS will continue.

Security APAR	APAR	Description
	PI98146	Only create rewrite map lock if RewriteMaps are used
	PI98147	Print unparsed URI in the 'URI incorrectly encoded' error message
	PI99032	SSL alerts not showing in log messages
	PI99394	Startup messages not switching to Errorlog (z/OS only)
	PI99567	HTTPProtocolOptions improvements
	PI99685	HTTPProtocolOptions=unsafe should allow a space in a header
	PH00889	LeaveWorkUnit errors with mod_wlm (z/OS only)
	PH01222	Timeout setting for OCSP on IBM HTTP Server
	PH01302	Accept SHA2 cert chains in LDAP connections
	PH02746	Add modern signature algorithms to SSLProxyEngine by default
	PH04673	Remove 'http header X-pad'
	PH05008	Accept SHA2 certs in mod_ibm_ldap
	PH05575	Postinst logs unexpected message when failed to find an FQDN

Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.15 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix Pack 14 (8.5.5.14)
Fix release date: 20 August 2018 Last modified: 20 August 2018 Status: Superseded Download Fix Pack 14 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PH01159 / UI57810.	Back to Top

Security APAR	APAR	Description
✓	PI90598	CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598
✓	PI94222	Multiple vulnerabilities in GSKit bundled with IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22015347
✓	PI95670	Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301) http://www-01.ibm.com/support/docview.wss?uid=swg22015344
	PI91075	Add environment variable to record "SSLVersion" failure
	PI91351	Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical
	PI91850	MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only)
	PI91975	The 'Header unset Content-Type' directive does not unset the Content-Type response header.
	PI92017	Include CGI program name when writing stderr to the error log when using mod_cgi
	PI92053	Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept().
	PI92092	FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only)
	PI92407	Log startup message for low 64-bit MEMLIMIT
	PI93212	Throttle SSL0600E error messages
	PI93624	Increase default LDAPSharedCacheSize
	PI94050	High CPU/Hang with IHS mod_auth_basic LDAP
	PI94539	mod_proxy_http does not allow headers larger than 8K bytes.
	PI95610	Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so.
	PI95964	Add mod_cgi directive to allow users to configure timeouts for CGI applications.
	PI95983	Allow Content-Type to be edited via the Header directive.
	PI96321	Update embedded LDAP SDK to 6.4.x
	PI97314	Add mod_backtrace for Windows

Note: If the original installation was performed at 8.5.5.11 or earlier, fixpack 8.5.5.14 and later will replace the embedded IBM Java 6 with IBM Java 8.

Note: IBM HTTP Server 8.5.5.14 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix Pack 13 (8.5.5.13)
Fix release date: 05 February 2018 Last modified: 05 February 2018 Status: Superseded Download Fix Pack 13 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI93091 / UI53558.	Back to Top

Security APAR	APAR	Description
✓	PI82481	CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280
✓	PI87445	CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782
✓	PI87663	CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782
	PI83257	Reduce memory usage from long mod_rewrite configurations.
	PI83350	Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only)
	PI84868	Disable the 3DES cipher by default in IBM HTTP Server.
	PI85478	Disable symmetric offload by default when IHS is configured to use a crypto card.
	PI85561	SSL Fallback Protection related errors with SSLProxyEngine ON
	PI85702	SAFRunAs %%CERTIF%% asks for basic auth credentials
	PI85804	Improve password failure error messages in authnz_saf
	PI88232	Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984.
	PI88356	Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults.
	PI88550	Allow IHS instance on z/OS to swing to an alternate read-only directory.
	PI88553	Print an error message that includes the errno and errno2 values if fail to find a specified saf-group.
	PI90141	IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84
	PI90834	abendoc4 in apr_pstrcat using saf-change-pw handler (z/OS only)

Note: IBM HTTP Server 8.5.5.13 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.34.

Fix Pack 12 (8.5.5.12)
Fix release date: 21 July 2017 Last modified: 21 July 2017 Status: Superseded Download Fix Pack 12 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI84253 / UI48698.	Back to Top

Security APAR	APAR	Description
✓	PI73984	CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg21996847
✓	PI82260	CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280
✓	PI82263	CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?&uid=swg22005280
	PI69182	IBM HTTP Server SSL cipher defaults may be displayed incorrectly on z/OS
	PI70947	Newlines are consumed when an MVSDS dataset's content type is not set to text/* or application/x-javascript.
	PI72027	IHS rewrite rule on IPV6 does not redirect correctly.
	PI72350	Fix potential crash in mod_mem_cache in IHS 8.5 and earlier.
	PI72989	Hangs related to mod_backtrace and mod_whatkilledus during a crash.
	PI73027	Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf.
	PI73043	Upgrade bundled GSKit security library
	PI73661	Session ID Daemon (sidd) memory leak
	PI73819	Allow an extended syntax for the SSLCipherSpec directive on z/OS (z/OS only)
	PI74119	Delayed closure of keepalive connections during graceful process termination on z/OS. (z/OS only)
	PI74200	Connection resets under heavy load when connecting to IHS on z/OS. (z/OS only)
	PI75341	/server-status doesn't display client IP until first request is read
	PI76757	Allow SSL handshake transcripts to be enabled or disabled
	PI76874	Further enhancements to PI50937 high cpu avoidance
	PI76918	'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only)
	PI77304	VersionInfo shows Java 6 after install of IBM HTTP Server 8.5.5.11 with Java 8.0
	PI78442	Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in an HTTP 400 error.
	PI78767	HttpProtocolOptions does not get merged from global to virtualhost scope in 8.5 and earlier.
	PI78967	Allow CEEDUMPS to be requested with kill -USR2 (z/OS only)
	PI80187	Redirect functionality not working as expected for MVSDS requests (z/OS only)
	PI80356	Upgrade bundled GSKit security library
	PI80447	Disable MMAP for static files by default on z/OS (z/OS only)
	PI81360	Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names
	PI81589	Use ECHDE_RSA ciphers by default under TLS1.2 in IBM HTTP Server 8.0 and 8.5
	PI81602	Issues with updating SAF password when using Firefox or Chrome (z/OS only)

Note: IBM HTTP Server 8.5.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.32, plus some of the security fixes from 2.2.33.

Fix Pack 11 (8.5.5.11)
Fix release date: 23 December 2016 Last modified: 23 December 2016 Status: Superseded Download Fix Pack 11 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI73335 / UI43131.	Back to Top

Security APAR	APAR	Description
✓	PI65855	CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019
✓	PI66849	CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026
	PI66153	XML datasets with no XML extension cause error under mod_mvsds (z/OS only)
	PI66183	When MFA is configured, SAFRunAs fails with a permission error (z/OS only)
	PI66695	mod_reqtimeout can cause 'java.io.IOException: Async IO operation failed'
	PI66787	Session cache daemon (sidd) memory leak
	PI66931	Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance.
	PI67595	AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only)
	PI68001	Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only)
	PI68803	IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only)
	PI70024	Lower message severity to Info for cache return error when connection is aborted for the IBM HTTP Server error logging
	PI70372	mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'.
	PI70496	Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost.
	PI70829	Provide additional message information for IBM HTTP Server TLS handshakes
	PI71340	Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8.

Note: IBM HTTP Server 8.5.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix Pack 10 (8.5.5.10)
Fix release date: 15 August 2016 Last modified: 15 August 2016 Status: Superseded Download Fix Pack 10 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI66501 / UI39727.	Back to Top

Security APAR	APAR	Description
✓	PI63098	CVE-2016-0718 for IBM HTTP Server (Distributed only) http://www-01.ibm.com/support/docview.wss?&uid=swg21988026
	PI53754	Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created. (z/OS only)
	PI54415	Requests with CONTENT-LENGTH: 0 and any LimitRequestBody may result in a 413 error
	PI54757	Delay allocating an IHS thread until data is available on a new inbound TCP connection.
	PI54808	RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only)
	PI56034	No equivalent functionality for DGW ALWAYSWELCOME directive in IHS on z/OS.
	PI57543	Allow one address space per rotatelogs process to be conserved. (z/OS only)
	PI57596	CRIHS0001I may contain garbage information or not pick up HTTPS port. (z/OS only)
	PI57657	INSTCONFPARTIALSUCCESS when the IBM HTTP Server installer cannot determine a local hostname.
	PI58218	IBM HTTP Server 'mod_cache' fixes.
	PI59374	Certificate expiration reporting for IBM HTTP Server.
	PI59561	Add pre/post password hooks to mod_authnz_saf. (z/OS only)
	PI60207	Upgrade bundled GSKit security library to 8.0.50.61 (Distributed only)
	PI60251	mod_mvsds writes content as binary instead of text/plain. (z/OS only)
	PI60784	IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled. (Distributed only)
	PI62663	Some Server Side Includes (SSI) may not be translated as expected (z/OS only)
	PI63482	Add a private header with password change information for 401 response.
	PI63682	IHS mod_status displays many 'NULL' strings in request column.
	PI64346	SetEnvIf may be skipped with SAF auth enabled (z/OS only)
	PI64628	IBM HTTP Server on Z/OS is deleting the wrong IPC message queue (z/OS only)

Note: IBM HTTP Server 8.5.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix Pack 9 (8.5.5.9)
Fix release date: 18 March 2016 Last modified: 18 March 2016 Status: Superseded Download Fix Pack 9 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI58575 / UI35897.	Back to Top

Security APAR	APAR	Description
✓	PI52395	CVE-2015-7420 for IBM HTTP Server (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?uid=swg21974507
✓	PI54962	CVE-2016-0201 for IBM HTTP Server (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?uid=swg21974507
	PI40885	The 'SAFRunAs' directive implicitly requires access to the "OMVSAPPL" class in some RACF configurations (z/OS only) {The initial fix was in 8.5.5.7, but was not effective until additional updates in this fixpack.}
	PI47828	IBM HTTP Server on z/OS fails to start with CC=0137 and ABENDU4093 RC00000281 (z/OS only)
	PI48695	DGW compatibility for CGI query strings and syntax in server-side includes. (z/OS only)
	PI49165	Add new request time logging formats
	PI49473	IBM HTTP Server mod_filter is unable to process pages with error response codes returned from WebSphere Plugin
	PI49718	Improve error_log reporting for 'SSLProxyEngine' handshake errors
	PI49791	Add the IfFile directive to allow processing directives based on file existence.
	PI50376	DGW compatibility for DOCUMENT_* CGI variables. (z/OS only)
	PI50397	No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only)
	PI50514	SSL session ID cache daemon (SIDD) creates unnecessary entries
	PI50937	Alleviate looping between SSL and GSKit (IBM Global Security Kit)
	PI51185	Enhancements allowing use of SAFRunAsEarly for certificate switching
	PI52299	TLS_FALLBACK_SCSV support for IBM HTTP Server

Note: IBM HTTP Server 8.5.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix Pack 8 (8.5.5.8)
Fix release date: 11 December 2015 Last modified: 11 December 2015 Status: Superseded Download Fix Pack 8 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI52859 / UI33171.	Back to Top

Security APAR	APAR	Description
	PI45005	Use of SAFRunAs %%CLIENT%% can result in ICH408I messages to be issued against the HTTP Server userid
	PI45562	Add a message to indicate the IBM HTTP Server is ready
	PI45740	Encoding error on RewriteRule
	PI46559	The setupadm script on Linux fails to use an existing group without the -create parameter
	PI46616	Allow RewriteRule to use colon (':') in header names and values
	PI46868	REXX CGI'S may display as text in the browser
	PI47198	IHS caching partial response for chunked responses
	PI47605	Support -t -DDUMP_SSL_CONFIG and -t -DDUMP_SSL_CIPHERS on Microsoft Windows
	PI47642	Honor a global LogLevel specified after a virtual host definition that does not explicitly set LogLevel

Note: IBM HTTP Server 8.5.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix Pack 7 (8.5.5.7)
Fix release date: 11 September 2015 Last modified: 11 September 2015 Status: Superseded Download Fix Pack 7 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI47832 / UI30752.	Back to Top

Security APAR	APAR	Description
✓	PI39833	CVE-2015-1829 for IBM HTTP Server on Windows http://www-01.ibm.com/support/docview.wss?uid=swg21959081
✓	PI42928	CVE-2015-3183 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21963361
✓	PI44793	CVE-2015-4947 for IBM HTTP Server Administration Server http://www-01.ibm.com/support/docview.wss?uid=swg21965419
✓	PI44809	CVE-2015-1788 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21963362
✓	PI45596	CVE-2015-1283 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21964428
	PI38322	Allow mod_cache to ignore an 'Authorization' HTTP request header
	PI38562	CGI resources are briefly unavailable just after a restart
	PI38828	Enable unified config dump
	PI38835	IBM HTTP Server cannot log time-to-first-byte (TTFB)
	PI39439	DGW-style SSL environment variables are not set
	PI40952	Preserve quoting in SSLServerCert directive

Note: IBM HTTP Server 8.5.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.31.

Fix Pack 6 (8.5.5.6)
Fix release date: 26 June 2015 Last modified: 26 June 2015 Status: Superseded Download Fix Pack 6 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI43067 / UI28569.	Back to Top

Security APAR	APAR	Description
✓	PI36417	CVE-2015-0138 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21698959
✓	PI34229	Disable RC4-based TLS ciphers by default in IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?uid=swg21701072
	PI32452	Userid on 'require saf-user' statement doesn't work when specified as lower case (z/OS only)
	PI32841	Some cipher names and keysizes are not logged when using %(SSL_CIPHER)e in LogFormat for access log.
	PI33039	EDC5170I error happens when running CGI script in Apache server with WLM enabled on z/OS
	PI33527	SSLOCSPEnable directive always enables OCSP (Online Certificate Status Protocol) even if value is 'OFF'.
	PI34017	HTTP error 413 on static files results in a duplicate error message.
	PI35073	IBM HTTP Server always supplies its own HTTP 'DATE' header to responses generated by the WebSphere webserver plug-in.
	PI35219	ABEND0C1 when running install_ihs on z/OS
	PI35519	cgiparse incorrectly handles POST request bodies on z/OS
	PI39284	Error continues to appear in HAPALLO2 JCL after PI25264 (z/OS only)

Note: IBM HTTP Server 8.5.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix Pack 5 (8.5.5.5)
Fix release date: 13 March 2015 Last modified: 13 March 2015 Status: Superseded Download Fix Pack 5 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI36674 / UI25968.	Back to Top

Security APAR	APAR	Description
✓	PI31516	CVE-2014-8730: Enable strict CBC padding checks on TLS connections http://www-01.ibm.com/support/docview.wss?&uid=swg21697368
	PI28735	ErrorDocument redirection for status code 414 (Request URI too long) does not work
	PI30041	mod_deflate_z gives no indication if hardware offload was used (z/OS only)
	PI30093	Allow SSLProtocolDisable, SSLProtocolEnable, and SSLAttributeSet in the IBM HTTP Server configuration global
	PI30323	Add support for dual-mode ECDSA/RSA SSL virtual hosts
	PI31566	Allow IBM HTTP Server RLimit* directives to reduce hard limits
	PI31802	APR_POLLSET_ADD failure - ERRNO2=0X76650000 (z/OS only)

Note: IBM HTTP Server 8.5.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix Pack 4 (8.5.5.4)
Fix release date: 08 December 2014 Last modified: 08 December 2014 Status: Superseded Download Fix Pack 4 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI30622 / UI23545.	Back to Top

Security APAR	APAR	Description
✓	PI22070	Multiple Apache web server vulnerabilities: CVE-2014-0118 (mod_deflate), CVE-2014-0226 (mod_status), CVE-2014-0231 (mod_cgid), CVE-2013-5704 (core) http://www-01.ibm.com/support/docview.wss?&uid=swg21690185
✓	PI27904	IBM HTTP Server should disable weak SSL protocols and ciphers by default
	PI19013	Missing version.signature file after the installation of Apache HTTP Server -FMID HHAP85P (z/OS only)
	PI19580	mod_reqtimeout: Potential for unexpected timeouts in IBM HTTP Server 8.5.5 on z/OS when using RequestReadTimeout (z/OS only)
	PI19581	IBM HTTP Server modules specified without a path don't load
	PI21655	mod_mvsds: 404 returned when attempting to browse a member of a PDS dataset using MVSDS (z/OS only)
	PI23005	Allow logging of time taken during SSL handshake
	PI24257	'Header edit* ...' directive not accepted by IBM HTTP Server
	PI24424	Add support for zEnterprise Data Compression (zEDC) offload for IBM HTTP Server. (z/OS only)
	PI24782	mod_smf module only writes smf type 103 subtype 14 records when debug is turned on. (z/OS only)
	PI24990	Add mpmstats info to console. (z/OS only)
	PI25124	Install of PTF UI20159 does not update product files 14/09/19 PTF PECHANGE (z/OS only)
	PI25264	Error appears in HAPALLO2 JCL (z/OS only)
	PI25783	Fatal getpwuid() error at IBM HTTP Server startup (z/OS only)
	PI26507	mod_proxy on z/OS doesn't try IPV4 addresses on systems where IPV6 connections fail (z/OS only)
	PI26894	Increase security libraries to resolve high CPU loop on 64bit Microsoft Windows (GSKit upgrade to 8.0.50.34)

Note: IBM HTTP Server 8.5.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.29.

Fix Pack 3 (8.5.5.3)
Fix release date: 18 August 2014 Last modified: 18 August 2014 Status: Superseded Download Fix Pack 3 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI21538 / UI20159.	Back to Top

Security APAR	APAR	Description
✓	PI13028	CVE-2014-0098: mod_log_config - Potential denial of service vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21681249
✓	PI17025	CVE-2014-0963: IBM HTTP Server high CPU utilization with SSL (includes GSKit upgrade) http://www-01.ibm.com/support/docview.wss?&uid=swg21681249
✓	PI19700	CVE-2014-0076: Local side-channel attack on ECDSA (GSKit upgrade) http://www-01.ibm.com/support/docview.wss?&uid=swg21681249
	PI13422	Memory leak in GSKit 8.0.50 (GSKit upgrade)
	PI13949	MVSDS request does not release shared ENQ (z/OS only)
	PI14451	IHS with SSLFIPSENABLE reports error code 53817451 at startup (z/OS only)
	PI15344	IBM HTTP Server caching issues
	PI16599	Authentication failure gives LDAP error for non-LDAP configurations
	PI17434	SSLCACHE may fail due to SSLCACHEPORTFILENAME value being in use (z/OS only)

Note: IBM HTTP Server 8.5.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.27.

Fix Pack 2 (8.5.5.2)
Fix release date: 28 April 2014 Last modified: 28 April 2014 Status: Superseded Download Fix Pack 2 This fixpack is delivered for IBM Ported Tools on z/OS using APAR/PTF: PI15962 / UI17041.	Back to Top

Security APAR	APAR	Description
✓	PI05309	CVE-2013-6329: SSL session resumption vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21669554
✓	PI09345	CVE-2013-6438: Potential Denial of Service in mod_dav for IBM HTTP Server. http://www-01.ibm.com/support/docview.wss?&uid=swg21669554
✓	PI09443	CVE-2013-6747: GSKit Certificate Chain Vulnerability. (GSKit upgrade). http://www-01.ibm.com/support/docview.wss?&uid=swg21669554
	PM94008	Timed-out ldap bind and search failures on reused connections are not retried.
	PM94143	Use of SAFRunAs results in ICH408I messages to be issued against the HTTP Server userid (z/OS only)
	PM94602	ProxyRemote fails to work with SSL requests
	PM96039	AcceptEx disablement notice should not appear in Microsoft Windows Event Viewer
	PM97650	IBM HTTP Server does not send SIGTERM to fastCGI application
	PI04922	IBM HTTP Server scaling/processing threads limited on 64-bit Microsoft Windows.
	PI06366	IBM HTTP Server thread creation failures when scaling up from default configuration on RHEL6
	PI07665	IBM HTTP server 8.5 (Apache) on z/OS needs support of cgiparse and cgiutils from IHS 5.3 Domino Go Web Server.
	PI08502	Potential heap corruption under load for IBM HTTP Server with SSL enabled. (GSKit upgrade).
	PI08715	Potential mod_proxy crashes under load
	PI09344	Missing version.signature file for 31-bit IBM HTTP Server on z/OS breaks 8.5.5 post-update process.

Note: IBM HTTP Server 8.5.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.26.

Fix Pack 1 (8.5.5.1)
Fix release date: 11 November 2013 Last modified: 11 November 2013 Status: Superseded Download Fix Pack 1	Back to Top

Security APAR	APAR	Description
✓	PM87808	CVE-2013-1862: mod_rewrite vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21651880
✓	PM89996	CVE-2013-1896: mod_dav vulnerability http://www-01.ibm.com/support/docview.wss?&uid=swg21651880
	PM84215	mod_mpmstats may report incorrect values during startup or shutdown
	PM87247	Additional certificate attributes are needed as fields accessible to the SSLClientAuthRequire directive
	PM89422	IHS WebDAV requests slow on Windows
	PM91704	Add mod_smf module for IBM HTTP Server (z/OS only)
	PM92105	wlm enclave support fails on a child process without a unique job name (z/OS only)

Note: IBM HTTP Server 8.5.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.25.

Refresh Pack (8.5.5)
Fix release date: 14 June 2013 Last modified: 14 June 2013 Status: Superseded Download Refresh Pack 8.5.5	Back to Top

Security APAR	APAR	Description
✓	PM85211	CVE-2013-0169: TLS Vulnerability (The fix upgrades the bundled GSKit security library) https://exchange.xforce.ibmcloud.com/vulnerabilities/81902

Note: IBM HTTP Server 8.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.

Fix Pack 2 (8.5.0.2)
Fix release date: 15 April 2013 Last modified: 15 April 2013 Status: Superseded Download Fix Pack 2	Back to Top

Security APAR	APAR	Description
✓	PM76110	CVE-2012-4557: mod_proxy_ajp incorrectly marks backend WAS CE server down
✓	PM80058	CVE-2012-3499/CVE-2012-4558: Potential exposure in several IBM HTTP Server optional modules https://exchange.xforce.ibmcloud.com/vulnerabilities/82359 https://exchange.xforce.ibmcloud.com/vulnerabilities/82360
	PM68347	Z/OS IHS config for versions before 8.5 may not migrate as expected to 8.5
	PM69188	Installation of IBM HTTP Server V8.5 completes with a warning. Failure occurs because the system's hostname is not set.
	PM70591	IHS on Microsoft Windows startup failure with SSLv3Timeout or SSLv2Timeout in vhost: 'master_main: create child process failed.'
	PM70994	SSLFakeBasicAuth depends on LoadModule order
	PM71102	<Location> settings don't affect some mod_negotiation generated content
	PM73304	Add mod_ssl's SSLProxyCheckPeerCN to IBM HTTP Server
	PM75876	The 'Header' directive can't set a header only if the header is absent, even when using 'EDIT' mode or relying on other modules.
	PM77980	IBM HTTP Server should not add the Server: header by default
	PM78087	IBM HTTP Server high memory use when many hundreds of RewriteCond %{REQUEST_URI}
	PM78144	IBM HTTP Server large logformats cannot be correctly logged by piped loggers
	PM78434	Provide end-to-end timeouts for SSL handshakes
	PM79015	mod_disk_cache on Windows gives error: '(OS 5) Access is denied: disk_cache: Rename tempfile to datafile failed'
	PM80235	NIST SP800-131a support for IBM HTTP Server
	PM80260	apr_pollset_add failure -errno2=0X11780494, or growing CPU usage on the listener thread in IHS child processes (z/OS only)

Note: IBM HTTP Server 8.5.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.24.

Fix Pack 1 (8.5.0.1)
Fix release date: 29 October 2012 Last modified: 29 October 2012 Status: Superseded Download Fix Pack 1	Back to Top

Security APAR	APAR	Description
✓	PM66218	Upgrade bundled GSKit security library http://www-01.ibm.com/support/docview.wss?&uid=swg21614265
✓	PM66470	CVE-2012-2687: mod_negotiation - potential information disclosure on compromised site.
✓	PM72915	TLS compression should be disabled by default in IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21611881
	PM62011	mod_log_config: The wrong cookie can be logged
	PM63634	admin.passwd file was reset after installing fixpack
	PM68007	Non-root IBM HTTP Server install fails if primary group has no name
	PM71612	Additional non-serviceable files added for IBM HTTP Server

Note: IBM HTTP Server 8.5.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.2.23.

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.0"}]

Was this topic helpful?

Document Information

More support for:
IBM HTTP Server

Component:
IHS

Software version:
8.5.0

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS

Document number:
602529

Modified date:
07 February 2025

UID

swg27036410

IBM Support

Tips

Fix list for IBM HTTP Server Version 8.5

Product Documentation

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?