Product Documentation
Abstract
IBM HTTP Server provides periodic fixes for release 9.0. The following is a listing of recent fix packs, with the most recent at the top.
Content
 | Back to all versions |
 Download Fix Pack 9.0.5.26 | |
Security APAR | APAR | Description |
| PH67551 | Fix potential bug in PH61590 and add error_log logging | |
| PH67623 | Replace SSLRevocationLibCurlEnable with SSLRevocationIHSInternalClientEnable | |
| PH67676 | Add additional directories to rpath / runpath of httpd binaries | |
| PH67714 | Allow custom post-update scripts on Linux | |
| PH67897 | Allow apachectl configtest to check SSL config with -DTEST_SSL_CONFIG | |
| PH68132 | Remove HTTP 400 errors related to SNI / Host mismatch which are not meaningful in IHS (AH02032/AH02032) |
Notes:
- IBM HTTP Server 9.0.5.26 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.65.
- IBM HTTP Server 9.0.5.26 with PH68462 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.66.
Download Fix Pack 9.0.5.25 | |
Security APAR | APAR | Description |
| ✓ | PH67153 | IBM HTTP Server is affected by multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-43394,CVE-2024-42516,CVE-2024-43204) |
| ✓ | PH67414 | IBM HTTP Server is affected by multiple vulnerabilities due to the included Apache HTTP Server (CVE-2025-54090 CVSS 6.3) |
| PH67529 | Allow SetEnv to replace native environment variables to avoid IHS bundled libraries from being in CGI shared library path | |
| PH66648 | Remove CBC ciphers from defaults | |
| PH66956 | Improve resilience of Keep-Alive connections under mpm_event |
Notes:
- IBM HTTP Server 9.0.5.25 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.65.
Download Fix Pack 9.0.5.24 | |
Security APAR | APAR | Description |
| PH64800 | Add the ihs-force-https option to force HTTPS when TLS is offloaded in front of IBM HTTP Server. | |
| PH65827 | Remove support for the obscure DUPNAMES option in the embedded PCRE. | |
| PH65829 | Ensure embedded expat library is always used with an entity handler. |
Notes:
- IBM HTTP Server 9.0.5.24 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.
- IBM HTTP Server 9.0.5.24 with IFPH67414 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.65
Download Fix Pack 9.0.5.23 | |
Security APAR | APAR | Description |
| PH64037 | Backport fixes from expat-2.6.4. | |
| PH64942 | GSKit 8.0.60.x toleration and non-libcurl CRL/OCSP client. |
Notes:
- IBM HTTP Server 9.0.5.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.
Download Fix Pack 9.0.5.22 | |
Security APAR | APAR | Description |
| PH62717 | Restrict read permissions on files used to establish SysV shared memory | |
| PH62889 | Instrument more Apache hooks with %{RH}e | |
| PH63077 | Port fixes from libexpat 2.6.3 | |
| PH63338 | Add DeflateMinLength directive to specify a minimum response length to compress. | |
| PH63406 | Under rare/unknown conditions, IHS may continually create threads in child process |
Notes:
- IBM HTTP Server 9.0.5.22 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.
Download Fix Pack 9.0.5.21 | |
Security APAR | APAR | Description |
| ✓ | PH61893 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-38476 and more) |
| ✓ | PH62263 | IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-40725, CVE-2024-40898) |
| PH61590 | Trigger operator console or CEEDUMP for children that are slow to exit during shutdown | |
| PH61821 | Add SAN DNSName to bin/quickssl.{sh,bat} in archive installs |
Notes:
- IBM HTTP Server 9.0.5.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.
Download Fix Pack 9.0.5.20 | |
Security APAR | APAR | Description |
| ✓ | PH60619 | IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5) |
| PH60185 | Improve management of gracefully exiting processes on event MPM | |
| PH60306 | Avoid crash during graceful exit after thread creation errors | |
| PH60402 | update libexpat for issues found in 2.6.0 | |
| PH60645 | SSL handshake timeout logged generically as "SSL0212E: SSL Handshake Failed, Internal unknown error" | |
| PH60777 | Add logging and timeouts related to communication between mod_ibm_ssl and sidd | |
| PH60863 | mod_mpmstats: Potential crash on Windows at shutdown or MaxRequestsPerChild |
Notes:
- IBM HTTP Server 9.0.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
- IBM HTTP Server 9.0.5.20 with IFPH62263 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.
Download Fix Pack 9.0.5.19 | |
Security APAR | APAR | Description |
| ✓ | PH59697 | IBM HTTP Server is vulnerable to information disclosure due to the included libexpat (CVE-2023-52425). |
| PH57408 | Log consecutive failing accept() calls and give the option to gracefully exit (z/OS only). | |
| PH59012 | Fix possible crashes at the end of apachectl -t. | |
| PH59165 | Enable HEAPPOOLS64 on new instances by default. |
Notes:
- IBM HTTP Server 9.0.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
- IBM HTTP Server 9.0.5.19+IFPH60619 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
Download Fix Pack 9.0.5.18 | |
Security APAR | APAR | Description |
| ✓ | PH57715 | IBM HTTP Server is vulnerable to information disclosure due to the included Apache HTTP Server (CVE-2023-31122) |
| PH55900 | Upgrade LDAP SDK and add support for TLS13 | |
| PH56093 | IHS child processes crash leaks 1 message queue | |
| PH56097 | mod_mpmstats AlwaysReport directive overrides ReportInterval | |
| PH56308 | Default ExtendedStatus to ON | |
| PH56340 | Extended reporting of some startup errors | |
| PH56383 | Connection not closed as expected after first response of HTTP request smuggling test |
Notes:
- IBM HTTP Server 9.0.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
Download Fix Pack 9.0.5.17 | |
Security APAR | APAR | Description |
| PH54894 | Add SSLOCSPCacheSize directive to enable and control the the OCSP cache size. | |
| PH55434 | Improve ICSF detection on zOS for new instances. | |
| PH55613 | Tolerate missing files that are edited post installation, primarily for interim fix installations. |
Notes:
- IBM HTTP Server 9.0.5.17 with interim fix PH57715 (z/OS PTF UI94155) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
Download Fix Pack 9.0.5.16 | |
Security APAR | APAR | Description |
| ✓ | PH52546 | IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342 CVSS 7.5) |
| ✓ | PH53014 | IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690 CVSS 6.1) |
| PH44893 | Update GSKit to 8.0.55.31 for new RNG. | |
| PH51678 | Add SSLSupportedCurves directive to allow customization of the curves offered during ECDHE key exchange. On z/OS, secp192r1 and secp224r1 are no longer enabled by default for ECDHE key exchange over TLSv1.2. | |
| PH52642 | Improve the error log message for invalid HTTP header name or value by identifying the first bad character. | |
| PH52860 | Possible high CPU when at or near MaxClients. | |
| PH53848 | Add %{tzoff}t alternative to %{%z}t on Windows. | |
| PH54015 | Fix regression in PH53014 interim fixes for RewriteRule with trailing question mark. |
Notes:
- IBM HTTP Server 9.0.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.57.
Download Fix Pack 9.0.5.15 | |
Security APAR | APAR | Description |
| ✓ | PH50316 | Update bundled expat for CVE-2022-43680, CVE-2017-9233, and CVE-2013-0340. |
| ✓ | PH51982 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25147, CVE-2022-28331, CVE-2022-37436, CVE-2006-20001). |
| PH51473 | Remove RSA key exchange ciphers from defaults. | |
| PH51709 | Add SSLMinimumRSAKeySize directive to reject client certificates with RSA key sizes smaller than the minimum specified. |
Notes:
- IBM HTTP Server 9.0.5.15 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
- The latest IHS Archive interim fix is packaged with PH48747 https://www.ibm.com/support/pages/node/6987541
Download Fix Pack 9.0.5.14 | |
Security APAR | APAR | Description |
| ✓ | PH49572 | Update bundled expat for CVE-2022-40674. |
| PH47518 | Report the average response time of active requests in the WAS plug-in along with WAS plug-in specific request states: TPCN, TPSB, TPWR, TPRB. | |
| PH47941 | Providing a second certificate label to SSLServerCert doesn't work unless SNI is enabled. | |
| PH48168 | mod_authnz_saf rejects password with a single slash. | |
| PH48206 | Add the KeepAliveTimeoutSend408 directive to allow the server to respond with an HTTP 408 response instead of closing KeepAlive connections. | |
| PH48807 | SSL_SERVER_* variables may not be accurate with SNI or multiple certificates per virtual host. | |
| PH49311 | Upgrade GSKit to 8.0.55.29. |
Notes:
- IBM HTTP Server 9.0.5.14 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
IBM HTTP Server 9.0.5.13 | |
Download Fix Pack 9.0.5.13 | |
Security APAR | APAR | Description |
| ✓ | PH46897 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813, CVE-2022-28614). |
| PH46094 | Add TrackeHooksOption notice to log slow requests at NOTICE level instead of INFO. | |
| PH47286 | When logging %h as used in the default log formats, respect changes made by mod_remoteip processing. | |
| PH47348 | Add KeepAliveTimeoutDelay to help avoid keepalive races. |
Notes:
- IBM HTTP Server 9.0.5.13 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
IBM HTTP Server 9.0.5.12 | |
Download Fix Pack 9.0.5.12 | |
Security APAR | APAR | Description |
| ✓ | PH44271 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236) |
| ✓ | PH44829 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721) |
| PH43696 | With SSLFIPSEnable and SSLProxyEngine enabled, handshakes may fail with GSK_ERROR_UNSUPPORTED. | |
| PH43887 | IHS may crash in function ap_scan_http_field_content | |
| PH44114 | IHS may appear to hang if MaxRequestsPerChild is nonzero, because a replacement process will not be launched | |
| PH44330 | IBM HTTP Server has unnecessary APF authorization on binary files | |
| PH44393 | IHS can crash in function ap_scan_http_field_content when processing special characters in URLs or headers |
Notes:
- IBM HTTP Server 9.0.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.53.
- IBM HTTP Server 9.0.5.12 with interim fix PH50316 (z/OS PTF UI80986 (prior APAR)) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.
Fix release date: 15 March 2022 Last modified: 15 March 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH44633 / UI7961. | |
Security APAR | APAR | Description |
✓ | PH42862 | Multiple vulnerabilities in IBM HTTP Server (CVE-2021-44790 CVSS 9.8 and more) |
✓ | PH43122 | Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more) |
| PH41074 | logresolve.exe doesn't work on Windows | |
| PH41075 | Add option to terminate all child processes if the parent process crashes (z/OS only) | |
| PH41413 | Recover from a stale pidfile (z/OS only) | |
| PH41945 | Potential hang with nonzero MaxRequestsPerChild | |
| PH42030 | Potential crash in the sidDelete function | |
| PH42072 | Potential crash during LDAP authentication in set_parent_child_pointers | |
| PH44045 | Windows archive postinstall.bat fails to copy GSkit to plug-in directory on upgrade |
Notes:
- IBM HTTP Server 9.0.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
- IBM HTTP Server with interim fix PH44829 (z/OS PTF: UI79752) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.53.
- Installing 9.0.5.11 on top of 9.0.5.10 with recent recommended interim fixes may warn about several fixes (APARS) being uninstalled. Details available here: https://www.ibm.com/support/pages/node/6562241
Download Fix Pack 9.0.5.10 | |
Security APAR | APAR | Description |
✓ | PH40343 | Multiple vulnerabilities in IBM HTTP Server (CVE-2021-40438, CVE-2021-34798, CVE-2021-39275) https://www.ibm.com/support/pages/node/6493841 |
| PH39660 | IHS may crash at startup in the sigaction() system call | |
| PH39916 | Omit plug-in keystore from IHS SMPE installations | |
| PH39992 | TLSv13 connections may fail with SSL0209E errors reported in the log on z/Linux | |
| PH40554 | SMPJHOME serviceability update to error messages | |
| PH40691 | Shrink window for mod_unique_id duplicates | |
| PH40725 | Avoid possible crashes when graceful restarts are requested rapidly / during startup. | |
| PH40832 | Upgrade GSKit to 8.0.55.25 | |
| PH41432 | Windows IHS archive:s Fix plug-in path generated by postinst.bat |
Note:
- IBM HTTP Server 9.0.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
- IBM HTTP Server 9.0.5.10 with interim fix PH42862 (PTF UI78904) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
| Fix release date: 10 September 2021 Last modified: 10 September 2021 Status: Superseded Download Fix Pack 9.0.5.9This fix pack is delivered for z/OS with APAR/PTF: PH40044 / UI7696. | |
Security APAR | APAR | Description |
| PH38515 | ErrorDocuments that specify literal strings are not translated correctly (z/OS only). | |
| PH38112 | Conditionally reduce severity of SSL0405E message for sockets that are already in lingering close. | |
| PH37899 | If mod_backtrace is not loaded, dump a backtrace during whatkilledus report (Linux only). | |
| PH36870 | Disable the TLS protocols TLSv10 and TLSv11 by default. Remove TLSv1.3 CCM ciphers from defaults. |
Note:
- IBM HTTP Server 9.0.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48.
- IBM HTTP Server 9.0.5.9 with interim fix PH42862 (PTF UI78904) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
| Fix release date: 18 June 2021 Last modified: 18 June 2021 Status: Superseded Download Fix Pack 9.0.5.8This fix pack is delivered for z/OS with APAR/PTF: PH37767 / UI7584. | |
Security APAR | APAR | Description |
✓ | PH35771 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641) https://www.ibm.com/support/pages/node/6463587 |
| PH35915 | Upgrade bundled GSKit security library to 8.0.55.21 | |
| PH35107 | Possible crash with StrictHostCheck | |
| PH36939 | z/OS module updates | |
| PH34420 | Server fails to start when SSLCipherSpec 30 is set in httpd.conf | |
| PH34246 | ErrorLogFormat may not be used by some startup messages | |
| PH33679 | SSLCLientAuth doesn't work with 'noverify' and 'crl' together. |
Note: IBM HTTP Server 9.0.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48.
| Fix release date: 26 March 2021 Last modified: 26 March 2021 Status: Superseded Download Fix Pack 9.0.5.7This fix pack is delivered for z/OS with APAR/PTF: PH35153 / UI7446. | |
Security APAR | APAR | Description |
| PH29569 | Support 'CertificateUsername' without authentication | |
| PH30270 | Allow SSL IOVEC merging to be disabled | |
| PH30598 | Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange | |
| PH30795 | Delays with large PKCS11 keystores (GSKit upgrade to 8.0.55.19) | |
| PH30841 | Provide a flag to disable TLS close_notify alert on Apache socket close | |
| PH30854 | Rewrite backreference escaping needs flexibility | |
| PH31169 | Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH | |
| PH31409 | Can't set SSLV3TIMEOUT with TLS13 | |
| PH32229 | Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E |
Note: IBM HTTP Server 9.0.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.
| Fix release date: 27 November 2020 Last modified: 27 November 2020 Status: Superseded Download Fix Pack 9.0.5.6This fix pack is delivered for z/OS with APAR/PTF: PH31572 / UI7261. | |
Security APAR | APAR | Description |
| PH27406 | Software license swidtag files are not included in the IHS archive installs | |
| PH27739 | SSL0401E during 'apachectl stop' | |
| PH28073 | IBM HTTP Server on Windows crashes at startup with rare LoadModule value | |
| PH28389 | install_ihs fails when ls alias is used | |
| PH29026 | setupadmn fails if existing target user is not specified in /etc/passwd | |
| PH30541 | 9.0 install_ihs/install_plug-in error with WAS 855 | |
| PH30660 | Install Visual C++ Redistributable 2013 needed by IHS on Windows |
Note: IBM HTTP Server 9.0.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.
| Fix release date: 04 September 2020 Last modified: 04 September 2020 Status: Superseded Download Fix Pack 9.0.5.5This fix pack is delivered for z/OS with APAR/PTF: PH28542 / UI7123. | |
Security APAR | APAR | Description |
| PH24262 | postinst reports wrong port number | |
| PH24265 | Allow mpmstats to write to zOS system log | |
| PH24402 | Post Installer for IHS archive should fail if postinst fails | |
| PH24557 | Default cipher specs used with SSLCipherSpec ALL -CIPHER_SPEC | |
| PH26048 | Add additional information to AH01220 for CGI script timeout |
Note: IBM HTTP Server 9.0.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.
| Fix release date: 12 June 2020 Last modified: 12 June 2020 Status: Superseded Download Fix Pack 9.0.5.49.0.5.4 is delivered for z/OS with APAR/PTF: PH25610 / UI6982. | |
Security APAR | APAR | Description |
✓ | PH21992 | Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934) https://www.ibm.com/support/pages/node/6191631 |
| PH20989 | Expose SAN fields in client certificates | |
| PH21717 | Relax hostname validation in IBM HTTP Server | |
| PH21804 | SSL0212E with TLS1.3 when SSLV3Timeout expires | |
| PH22727 | Keepalive connections may be closed up to 100ms early | |
| PH23344 | Error during script to apply a IHS PTF doesn't cause the PTF apply to fail | |
| PH23397 | SSLClientAuthVerify OFF improvement for expired certificates | |
| PH23551 | CGI error handling improvement | |
| PH23596 | bin/rotatelogs not shipped with program control | |
| PH23893 | Add 64-bit IHS for Windows to IIM | |
| PH24493 | SSL0209E with IHS 9.0.5.2 and later (GSKit upgrade to 8.0.55.15) |
Note: IBM HTTP Server 9.0.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.43.
| Fix release date: 20 March 2020 Last modified: 20 March 2020 Status: Superseded Download Fix Pack 9.0.5.39.0.5.3 is delivered for z/OS with APAR/PTF: PH23038 / UI6832. | |
Security APAR | APAR | Description |
| PH19074 | Provide extended diagnostics for SSL0279E errors | |
| PH20613 | SSL0232W with SSLFIPSEnable | |
| PH20970 | Improve Request header modification flexibility |
Note: IBM HTTP Server 9.0.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.
| Fix release date: 13 December 2019 Last modified: 13 December 2019 Status: Superseded Download Fix Pack 9.0.5.29.0.5.2 is delivered for z/OS with APAR/PTF: PH19272 / UI6665. | |
Security APAR | APAR | Description |
| PH13105 | Upgrade bundled GSKit security library | |
| PH17056 | Request for dataset with encoded characters returns 404 when using SAFRunAsEarly (z/OS only) | |
| PH17128 | Add TLS 1.3 support for IBM HTTP Server and the WebSphere Application Server WebServer plug-in | |
| PH17652 | Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server | |
| PH18102 | Improve multi-certificate support in IBM HTTP Server 9.0 |
Note: IBM HTTP Server 9.0.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.
| Fix release date: 20 September 2019 Last modified: 20 September 2019 Status: Superseded Download Fix Pack 9.0.5.19.0.5.1 is delivered for z/OS with APAR/PTF: PH16280 / UI6533. | |
Security APAR | APAR | Description |
✓ | PH14974 | Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098) https://www.ibm.com/support/pages/node/964768 |
| PH10089 | install-ihs -group should make more directories group writeable (z/OS only) | |
| PH10103 | Enable RLimitCPU on z/OS. (z/OS only) | |
| PH10382 | Enable TLSV1.2 under SSLFIPSEnable | |
| PH12421 | AuthLDAPURL not allowing specification of RACFID unless user has RACF search permission (z/OS only) | |
| PH13615 | IBM HTTP Server 9.0 should allow relative URL in redirects. |
Note: IBM HTTP Server 9.0.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.
| Fix release date: 28 June 2019 Last modified: 28 June 2019 Status: Superseded Download Refresh Pack 9.0.5.09.0.5.0 is delivered for z/OS with APAR/PTF: PH13435 / UI6383. | |
Security APAR | APAR | Description |
✓ | PH09869 | Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220) https://www-01.ibm.com/support/docview.wss?uid=ibm10880413 |
| PH07089 | Suppress parsing of $-prefixed variables in SSI (embeds). (z/OS only) | |
| PH07275 | Unable to change service description of an 'IBM HTTP Server' service on Windows | |
| PH08035 | Improve IHS logs on z/OS to show installation details. (z/OS only) | |
| PH09519 | Allow MVSDS to only use the last qualifier of a dataset name for mime extension checking. (z/OS only) | |
| PH12690 | Add the mod_request module for z/OS. (z/OS only) |
Note: IBM HTTP Server 9.0.5.0 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.39.
| Fix release date: 05 April 2019 Last modified: 05 April 2019 Status: Superseded Download Fix Pack 11This fix pack is delivered for z/OS with APAR/PTF: PH10037 / UI6211. | |
Security APAR | APAR | Description |
✓ | PH06010 | Security vulnerability in the IBM HTTP Server (CVE-2018-17199) (Distributed only) http://www-01.ibm.com/support/docview.wss?uid=ibm10869064 |
| PH02406 | Need simpler way to reject unknown hostnames | |
| PH02448 | Improve mod_status output for event MPM | |
| PH03059 | ABENDEC6 RC FF0F seen at server startup using rotatelogs (z/OS only) | |
| PH03953 | 'Server reached MaxRequestWorkers' message is issued while idle threads are available | |
| PH05560 | Using multiple environment variables in a directive doesn't work | |
| PH05575 | Postinst logs unexpected message when failed to find an FQDN | |
| PH05852 | Allow headers to be unset using regex |
Note: IBM HTTP Server 9.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.38.
| Fix release date: 14 December 2018 Last modified: 14 December 2018 Status: Superseded Download Fix Pack 10This fix pack is delivered for z/OS with APAR/PTF: PH06005 / UI60127 | |
Security APAR | APAR | Description |
| PH01222 | Timeout setting for OCSP on IBM HTTP Server | |
| PH01302 | Accept SHA2 cert chains in LDAP connections |
Note: IBM HTTP Server 9.0.0.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.37.
| Fix release date: 21 September 2018 Last modified: 21 September 2018 Status: Superseded Download Fix Pack 9This fix pack is delivered for z/OS with APAR/PTF: PH02525 / UI5847. | |
Security APAR | APAR | Description |
| PI95964 | Add mod_cgi directive to allow users to configure timeouts for CGI applications | |
| PI96156 | SSL fails with multiple addresses in single VirtualHost | |
| PI96321 | Update embedded LDAP SDK to 6.4.x | |
| PI96949 | The file time stamp format of IHS 9.0 is different from IHS 8.5 | |
| PI96955 | Allow mod_substitute for proxied responses | |
| PI97314 | Add mod_backtrace for Windows | |
| PI98116 | PDB files are not shipped for plug-in and odrlib in the Windows archive installer. | |
| PI98146 | Only create rewrite map lock if RewriteMaps are used. | |
| PI98147 | Print unparsed URI in the 'URI incorrectly encoded' error message | |
| PI98705 | HTML-encoded SSI variable double-encoded when moving to IHS 9.0 | |
| PI99032 | SSL alerts not showing in log messages | |
| PI99262 | Reduce memory used by persistent connections | |
| PI99271 | AuthzProviderAlias ignoring all Require-Parameters except first one. | |
| PI99394 | IBM HTTP Server startup messages not switching to Errorlog (z/OS only) | |
| PI99567 | HTTPProtocolOptions improvements | |
| PI99680 | rotatelogs description should include option -n | |
| PI99685 | HTTPProtocolOptions=unsafe should allow a space in a header | |
| PH00889 | LeaveWorkUnit errors with mod_wlm (z/OS only) |
Note: IBM HTTP Server 9.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.34.
| Fix release date: 29 June 2018 Last modified: 29 June 2018 Status: Superseded Download Fix Pack 8This fix pack is delivered for z/OS with APAR/PTF: PI99702 / UI5692. | |
Security APAR | APAR | Description |
✓ | PI94222 | Multiple vulnerabilities in GSKit bundled with IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22015347 |
✓ | PI95670 | Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301) http://www-01.ibm.com/support/docview.wss?uid=swg22015344 |
| PI91850 | MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only) | |
| PI91975 | The 'Header unset Content-Type' directive does not unset the Content-Type response header. | |
| PI92017 | Include CGI program name when writing stderr to the error log when using mod_cgi | |
| PI92053 | Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept(). | |
| PI92092 | FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only) | |
| PI92407 | Log startup message for low 64-bit MEMLIMIT | |
| PI93212 | Throttle SSL0600E error messages | |
| PI94050 | High CPU/Hang with IHS mod_auth_basic LDAP | |
| PI94539 | mod_proxy_http does not allow headers larger than 8K bytes. | |
| PI95610 | Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so. |
Note: IBM HTTP Server 9.0.0.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.33.
| Fix release date: 16 March 2018 Last modified: 16 March 2018 Status: Superseded Download Fix Pack 7This fix pack is delivered for z/OS with APAR/PTF: PI94851 / UI5433. | |
Security APAR | APAR | Description |
✓ | PI90598 | CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598 |
| PI90688 | gskcapicmd on Linux not working in IHS V9 | |
| PI90811 | rotatelogs fails with relative paths in IBM HTTP Server V9 | |
| PI91038 | When client and IHS don't support the same SSL/TLS version, IHS logged incorrect message in error log | |
| PI91075 | Add environment variable to record "SSLVersion" failure | |
| PI91351 | Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical | |
| PI91720 | HTTPS download of IHS archive install from Fix Central results in uncompressed file with misleading name |
Note: IBM HTTP Server 9.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.29.
| Fix release date: 21 December 2017 Last modified: 21 December 2017 Status: Superseded  Download Fix Pack 6This fix pack is delivered for z/OS with APAR/PTF: PI91366 / UI5273. | |
Security APAR | APAR | Description |
✓ | PI87445 | CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
✓ | PI87663 | CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782 |
| PI84868 | Disable the 3DES cipher by default in IBM HTTP Server. | |
| PI85561 | SSL Fallback Protection related errors with SSLProxyEngine ON | |
| PI85702 | SAFRunAs %%CERTIF%% asks for basic auth credentials | |
| PI85804 | Improve password failure error messages in authnz_saf | |
| PI87046 | Microsoft Windows large address support was not ported in IBM HTTP Server 9.0.0.4 | |
| PI88232 | Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984. | |
| PI88356 | Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults. | |
| PI88553 | Print an error message that includes the errno and errno2 values if fail to find a specified saf-group. | |
| PI90141 | IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84 | |
| PI90834 | abendoc4 in apr_pstrcat using saf-change-pw handler |
Note: IBM HTTP Server 9.0.0.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.29.
| Fix release date: 17 October 2017 Last modified: 13 October 2017 Status: Superseded  Download Fix Pack 5This fix pack is delivered for z/OS with APAR/PTF: PI87801 / UI50746. | |
Security APAR | APAR | Description |
✓ | PI82260 | CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
✓ | PI82263 | CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
✓ | PI82481 | CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280 |
| PI80356 | Upgrade bundled GSKit security library (Distributed only) | |
| PI81360 | Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names | |
| PI81602 | Issues with updating SAF password when using Firefox or Chrome (z/OS only) | |
| PI82760 | Unable to launch ikeyman on the IBM HTTP Server side. | |
| PI82834 | Add a simple PCT alternative for IBM HTTP Server with Liberty. | |
| PI83167 | Support for binary-only install via IHS_SKIP_POSTINST environment variable. | |
| PI83257 | Reduce memory usage from long mod_rewrite configurations. | |
| PI83350 | Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only) |
Note: IBM HTTP Server 9.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.27.
| Fix release date: 13 June 2017 Last modified: 13 June 2017 Status: Superseded  Download Fix Pack 4This fix pack is delivered for z/OS with APAR/PTF: PI82358 / UI47689. | |
Security APAR | APAR | Description |
| PI73043 | Upgrade bundled GSKit security library (Distributed only) | |
| PI74780 | Allow IBM HTTP Server 9.0 on AIX 6.1 | |
| PI75835 | ABEND0C4 in IBM HTTP Server 9.0 using -v option with rotatelogs (z/OS only) | |
| PI76757 | Allow SSL handshake transcripts to be enabled or disabled | |
| PI76874 | Further enhancements to PI50937 high cpu avoidance | |
| PI76918 | 'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only) | |
| PI77337 | IHS LDAP connection with SSL not working | |
| PI77697 | IBM HTTP Server 9.0 install not creating service correctly on Microsoft Windows | |
| PI78442 | Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error. | |
| PI78696 | SSL handshake failure between IHS/Proxy to backend IHS/Plug-in | |
| PI78716 | File is not translated using MVSDS if content-encoding is used with IBM HTTP Server 9.0 (z/OS only) | |
| PI78967 | Allow CEEDUMPS to be requested with kill -USR2 (z/OS only) | |
| PI80106 | 500 Internal error with 'AH01328: Line too long' (z/OS only) | |
| PI80187 | Redirect functionality not working as expected for MVSDS requests (z/OS only) | |
| PI80447 | Disable MMAP for static files by default on z/OS (z/OS only) |
Note: IBM HTTP Server 9.0.0.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.25.
| Fix release date: 14 March 2017 Last modified: 14 March 2017 Status: Superseded  Download Fix Pack 3This fix pack is delivered for z/OS with APAR/PTF: PI77285 / UI45080. | |
Security APAR | APAR | Description |
✓ | PI73984 | CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21996847 |
| PI70372 | mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'. | |
| PI70496 | Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost. | |
| PI70825 | Simplify mod_ibm_ssl trace enabling in IBM HTTP Server 9.0 | |
| PI70829 | Provide additional message information for IBM HTTP Server TLS handshakes | |
| PI71340 | Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8. | |
| PI72989 | Hangs related to mod_backtrace and mod_whatkilledus during a crash. | |
| PI73027 | Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf. | |
| PI73165 | High cpu encountered when directive EnableSendfile is set to On | |
| PI73661 | Session ID Daemon (sidd) memory leak | |
| PI73819 | Allow an extended syntax for the SSLCipherSpec directive on z/OS | |
| PI73951 | mod_zos_cmds incorrectly reports the number of lingering close connections as zero. | |
| PI74200 | Connection resets under heavy load when connecting to IHS on z/OS. |
Note: IBM HTTP Server 9.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.25.
| Fix release date: 13 December 2016 Last modified: 13 December 2016 Status: Superseded  Download Fix Pack 2This fix pack is delivered for z/OS with APAR/PTF: PI72454 / UI42701. | |
Security APAR | APAR | Description |
✓ | PI66849 | CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
| PI66468 | bin\ikeyman.bat and bin\gskcmd.bat don't work when IHS install path contains spaces | |
| PI66787 | Session cache daemon (sidd) memory leak | |
| PI66931 | Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance. | |
| PI67595 | AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only) | |
| PI68001 | Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only) | |
| PI68803 | IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only) | |
| PI69081 | gskver, ikeyman, gskcapicmd, and gskcmd scripts do not work in IBM HTTP Server 9.0.0.1 | |
| PI69182 | IBM HTTP Server 9.0 SSL cipher defaults may be displayed incorrectly on z/OS (z/OS only) | |
| PI69979 | Accept non strictly-conforming X509 certificates in IBM HTTP Server 9.0 | |
| PI70022 | Allow IBM HTTP Server on Linux to automatically raise ulimit -n to accomodate larger ThreadsPerChild |
Note: IBM HTTP Server 9.0.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.23.
| Fix release date: 16 September 2016 Last modified: 16 September 2016 Status: Superseded  Download Fix Pack 1This fix pack is delivered for z/OS with APAR/PTF: PI68703 / UI40714. | |
Security APAR | APAR | Description |
✓ | PI63098 | CVE-2016-0718 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026 |
✓ | PI65855 | CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019 |
| PI60251 | mod_mvsds writes content as binary instead of text/plain (z/OS only) | |
| PI60784 | IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled | |
| PI62663 | Some Server Side Includes (SSI) may not be translated as expected (z/OS only) | |
| PI63482 | Add a private header with password change information for 401 response. | |
| PI63682 | IHS mod_status displays many 'NULL' strings in request column | |
| PI64346 | SetEnvIf may be skipped with SAF auth enabled (z/OS only) | |
| PI64628 | IBM HTTP Server on Z/OS is deleting the wrong message queue (z/OS only) | |
| PI66153 | XML datasets with no XML extension cause error under mod_mvsds (z/OS only) | |
| PI66183 | When MFA is configured, SAFRunAs fails with a permission error (z/OS only) |
Note: IBM HTTP Server 9.0.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.23.
| Fix release date: 24 June 2016 Last modified: 24 June 2016 Status: Superseded  Download 9.0.0.0This release was delivered for z/OS as an IM (Installation Manager) installed version only. For SMPE install, these contents were not available until 9.0.0.1. | |
Security APAR | APAR | Description |
| PI53754 | Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created (z/OS only) | |
| PI56034 | No equivalent functionality for DGW AlwaysWelcome directive in IHS on z/OS (z/OS only) | |
| PI56576 | Incorrect image path in .css file causes image to not display | |
| PI57543 | Allow one address space per rotatelogs process to be conserved. (z/OS only) | |
| PI57596 | CRIHS0001I may contain garbage information or not pick up HTTPS port (z/OS only) | |
| PI58218 | IBM HTTP Server mod_cache fixes | |
| PI59561 | Add pre/post password hooks to mod_authnz_saf | |
| PI60207 | Upgrade bundled GSKit security library to 8.0.50.61 |
Note: IBM HTTP Server 9.0.0.0 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.20.
| Fix release date: 02 March 2016 Last modified: 02 March 2016 Status: Superseded This release was not delivered for distributed platforms or with WebSphere Application Server. It was delivered for z/OS only via APAR/PTF: PI56777 / UI35362. | |
Security APAR | APAR | Description |
| PI48857 | Some headers are removed when caching is enabled | |
| PI50376 | DGW compatibility for DOCUMENT_* CGI variables. (z/OS only) | |
| PI50397 | No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only) | |
| PI50514 | SSL session ID cache daemon (SIDD) creates unnecessary entries | |
| PI51185 | Enhancements allowing use of SAFRunAsEarly for certificate switching (z/OS only) | |
| PI52301 | Reduce reads to /dev/random causing CSFSERV CSFRNG access (z/OS only) | |
| PI54808 | RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only) |
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0;9.0.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
15 December 2025
UID
swg27048481