Fix list for IBM HTTP Server Version 9.0

Product Documentation

Abstract

IBM HTTP Server provides periodic fixes for release 9.0. The following is a listing of recent fix packs, with the most recent at the top.

Content

	Back to all versions

IBM HTTP Server 9.0.5.24
Download Fix Pack 9.0.5.24 Fix release date: 17 June 2025 Last modified: 17 June 2025 Status: Recommended This fix pack is delivered for z/OS with APAR/PTF: PH66876 / UO03539.	Back to Top

Security APAR	APAR	Description
	PH64800	Add the `ihs-force-https` option to force HTTPS when TLS is offloaded in front of IBM HTTP Server.
	PH65827	Remove support for the obscure `DUPNAMES` option in the embedded PCRE.
	PH65829	Ensure embedded expat library is always used with an entity handler.

Notes:

IBM HTTP Server 9.0.5.24 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.

IBM HTTP Server 9.0.5.23
Download Fix Pack 9.0.5.23 Fix release date: 25 March 2025 Last modified: 25 March 2025 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH65617 / UO02425.	Back to Top

Security APAR	APAR	Description
	PH64037	Backport fixes from expat-2.6.4.
	PH64942	GSKit 8.0.60.x toleration and non-libcurl CRL/OCSP client.

Notes:

IBM HTTP Server 9.0.5.23 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.63.

IBM HTTP Server 9.0.5.22
Download Fix Pack 9.0.5.22 Fix release date: 3 December 2024 Last modified: 3 December 2024 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH64123 / UI99035	Back to Top

Security APAR	APAR	Description
	PH62717	Restrict read permissions on files used to establish SysV shared memory
	PH62889	Instrument more Apache hooks with %{RH}e
	PH63077	Port fixes from libexpat 2.6.3
	PH63338	Add DeflateMinLength directive to specify a minimum response length to compress.
	PH63406	Under rare/unknown conditions, IHS may continually create threads in child process

Notes:

IBM HTTP Server 9.0.5.22 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.

IBM HTTP Server 9.0.5.21
Download Fix Pack 9.0.5.21 Fix release date: 10 September 2024 Last modified: 10 September 2024 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH62977 / UI98223.	Back to Top

Security APAR	APAR	Description
✓	PH61893	IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-38476 and more)
✓	PH62263	IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server (CVE-2024-40725, CVE-2024-40898)
	PH61590	Trigger operator console or `CEEDUMP` for children that are slow to exit during shutdown
	PH61821	Add SAN `DNSName` to `bin/quickssl.{sh,bat}` in archive installs

Notes:

IBM HTTP Server 9.0.5.21 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.

IBM HTTP Server 9.0.5.20
Download Fix Pack 9.0.5.20 Fix release date: 18 June 2024 Last modified: 18 June 2024 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH61744/UI97237	Back to Top

Security APAR	APAR	Description
✓	PH60619	IBM HTTP Server is vulnerable to HTTP response splitting due to the included Apache HTTP Server (CVE-2024-24795 CVSS 6.5, CVE-2023-38709 CVSS 6.5)
	PH60185	Improve management of gracefully exiting processes on event MPM
	PH60306	Avoid crash during graceful exit after thread creation errors
	PH60402	update libexpat for issues found in 2.6.0
	PH60645	SSL handshake timeout logged generically as "SSL0212E: SSL Handshake Failed, Internal unknown error"
	PH60777	Add logging and timeouts related to communication between mod_ibm_ssl and sidd
	PH60863	mod_mpmstats: Potential crash on Windows at shutdown or MaxRequestsPerChild

Notes:

IBM HTTP Server 9.0.5.20 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.
IBM HTTP Server 9.0.5.20 with IFPH62263 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.62.

IBM HTTP Server 9.0.5.19
Download Fix Pack 9.0.5.19 Fix release date: 26 March 2024 Last modified: 26 March 2024 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH60335/UI96099.	Back to Top

Security APAR	APAR	Description
✓	PH59697	IBM HTTP Server is vulnerable to information disclosure due to the included `libexpat` (CVE-2023-52425).
	PH57408	Log consecutive failing `accept()` calls and give the option to gracefully exit (z/OS only).
	PH59012	Fix possible crashes at the end of `apachectl -t`.
	PH59165	Enable `HEAPPOOLS64` on new instances by default.

Notes:

IBM HTTP Server 9.0.5.19 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.
IBM HTTP Server 9.0.5.19+IFPH60619 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.59.

IBM HTTP Server 9.0.5.18
Download Fix Pack 9.0.5.18 Fix release date: 12 December 2023 Last modified: 12 December 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH58450/UI94663.	Back to Top

Security APAR	APAR	Description
✓	PH57715	IBM HTTP Server is vulnerable to information disclosure due to the included Apache HTTP Server (CVE-2023-31122)
	PH55900	Upgrade LDAP SDK and add support for TLS13
	PH56093	IHS child processes crash leaks 1 message queue
	PH56097	mod_mpmstats AlwaysReport directive overrides ReportInterval
	PH56308	Default ExtendedStatus to ON
	PH56340	Extended reporting of some startup errors
	PH56383	Connection not closed as expected after first response of HTTP request smuggling test

Notes:

IBM HTTP Server 9.0.5.18 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.

IBM HTTP Server 9.0.5.17
Download Fix Pack 9.0.5.17 Fix release date: 19 September 2023 Last modified: 19 September 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH56831 / UI93529 (superseded by UI94040)	Back to Top

Security APAR	APAR	Description
	PH54894	Add `SSLOCSPCacheSize` directive to enable and control the the OCSP cache size.
	PH55434	Improve ICSF detection on zOS for new instances.
	PH55613	Tolerate missing files that are edited post installation, primarily for interim fix installations.

Notes:

IBM HTTP Server 9.0.5.17 with interim fix PH57715 (z/OS PTF UI94155) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.58.

IBM HTTP Server 9.0.5.16
Download Fix Pack 9.0.5.16 Fix release date: 28 June 2023 Last modified: 28 June 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH55173 / UI92324.	Back to Top

Security APAR	APAR	Description
✓	PH52546	IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342 CVSS 7.5)
✓	PH53014	IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690 CVSS 6.1)
	PH44893	Update GSKit to 8.0.55.31 for new RNG.
	PH51678	Add `SSLSupportedCurves` directive to allow customization of the curves offered during ECDHE key exchange. On z/OS, `secp192r1` and `secp224r1` are no longer enabled by default for ECDHE key exchange over TLSv1.2.
	PH52642	Improve the error log message for invalid HTTP header name or value by identifying the first bad character.
	PH52860	Possible high CPU when at or near `MaxClients`.
	PH53848	Add `%{tzoff}t` alternative to `%{%z}t` on Windows.
	PH54015	Fix regression in PH53014 interim fixes for `RewriteRule` with trailing question mark.

Notes:

IBM HTTP Server 9.0.5.16 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.57.

IBM HTTP Server 9.0.5.15
Download Fix Pack 9.0.5.15 Fix release date: 04 April 2023 Last modified: 04 April 2023 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH53479 / UI91167.	Back to Top

Security APAR	APAR	Description
✓	PH50316	Update bundled `expat` for CVE-2022-43680, CVE-2017-9233, and CVE-2013-0340.
✓	PH51982	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25147, CVE-2022-28331, CVE-2022-37436, CVE-2006-20001).
	PH51473	Remove RSA key exchange ciphers from defaults.
	PH51709	Add `SSLMinimumRSAKeySize` directive to reject client certificates with RSA key sizes smaller than the minimum specified.

Notes:

IBM HTTP Server 9.0.5.15 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56
- The latest IHS Archive interim fix is packaged with PH48747 https://www.ibm.com/support/pages/node/6987541

IBM HTTP Server 9.0.5.14
Download Fix Pack 9.0.5.14 Fix release date: 22 November 2022 Last modified: 22 November 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH50710 / UI83294.	Back to Top

Security APAR	APAR	Description
✓	PH49572	Update bundled expat for CVE-2022-40674.
	PH47518	Report the average response time of active requests in the WAS plug-in along with WAS plug-in specific request states: TPCN, TPSB, TPWR, TPRB.
	PH47941	Providing a second certificate label to SSLServerCert doesn't work unless SNI is enabled.
	PH48168	mod_authnz_saf rejects password with a single slash.
	PH48206	Add the KeepAliveTimeoutSend408 directive to allow the server to respond with an HTTP 408 response instead of closing KeepAlive connections.
	PH48807	SSL_SERVER_* variables may not be accurate with SNI or multiple certificates per virtual host.
	PH49311	Upgrade GSKit to 8.0.55.29.

Notes:

IBM HTTP Server 9.0.5.14 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56

IBM HTTP Server 9.0.5.13
Download Fix Pack 9.0.5.13 Fix release date: 30 August 2022 Last modified: 30 August 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH48724 / UI82026.	Back to Top

Security APAR	APAR	Description
✓	PH46897	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-28615, CVE-2022-29404, CVE-2022-30556, CVE-2022-31813, CVE-2022-28614).
	PH46094	Add `TrackeHooksOption notice` to log slow requests at `NOTICE` level instead of `INFO`.
	PH47286	When logging `%h` as used in the default log formats, respect changes made by `mod_remoteip` processing.
	PH47348	Add `KeepAliveTimeoutDelay` to help avoid keepalive races.

Notes:

IBM HTTP Server 9.0.5.13 with interim fix PH53014 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.56

IBM HTTP Server 9.0.5.12
Download Fix Pack 9.0.5.12 Fix release date: 07 June 2022 Last modified: 07 June 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH46717 / UI80829.	Back to Top

Security APAR	APAR	Description
✓	PH44271	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-25313, CVE-2022-25315, CVE-2022-25235, CVE-2022-25236) https://www.ibm.com/support/pages/node/6538416
✓	PH44829	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-22720, CVE-2022-22719, CVE-2022-22721) https://www.ibm.com/support/pages/node/6560814
	PH43696	With `SSLFIPSEnable` and `SSLProxyEngine` enabled, handshakes may fail with `GSK_ERROR_UNSUPPORTED`.
	PH43887	IHS may crash in function `ap_scan_http_field_content`
	PH44114	IHS may appear to hang if `MaxRequestsPerChild` is nonzero, because a replacement process will not be launched
	PH44330	IBM HTTP Server has unnecessary APF authorization on binary files
	PH44393	IHS can crash in function `ap_scan_http_field_content` when processing special characters in URLs or headers

Notes:

IBM HTTP Server 9.0.5.12 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.53.
IBM HTTP Server 9.0.5.12 with interim fix PH50316 (z/OS PTF UI80986 (prior APAR)) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.54.

IBM HTTP Server 9.0.5.11
Download Fix Pack 9.0.5.11 Fix release date: 15 March 2022 Last modified: 15 March 2022 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH44633 / UI7961.	Back to Top

Security APAR	APAR	Description
✓	PH42862	Multiple vulnerabilities in IBM HTTP Server (CVE-2021-44790 CVSS 9.8 and more) https://www.ibm.com/support/pages/node/6538416
✓	PH43122	Multiple vulnerabilities in IBM HTTP Server (CVE-2022-23852 CVSS 9.8 and more) https://www.ibm.com/support/pages/node/6557294
	PH41074	`logresolve.exe` doesn't work on Windows
	PH41075	Add option to terminate all child processes if the parent process crashes (z/OS only)
	PH41413	Recover from a stale pidfile (z/OS only)
	PH41945	Potential hang with nonzero `MaxRequestsPerChild`
	PH42030	Potential crash in the `sidDelete` function
	PH42072	Potential crash during LDAP authentication in `set_parent_child_pointers`
	PH44045	Windows archive `postinstall.bat` fails to copy GSkit to plug-in directory on upgrade

Notes:

IBM HTTP Server 9.0.5.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.
IBM HTTP Server with interim fix PH44829 (z/OS PTF: UI79752) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.53.
Installing 9.0.5.11 on top of 9.0.5.10 with recent recommended interim fixes may warn about several fixes (APARS) being uninstalled. Details available here: https://www.ibm.com/support/pages/node/6562241

IBM HTTP Server 9.0.5.10
Download Fix Pack 9.0.5.10 Fix release date: 03 December 2021 Last modified: 03 December 2021 Status: Superseded This fix pack is delivered for z/OS with APAR/PTF: PH42261 / UI7829.	Back to Top

Security APAR	APAR	Description
✓	PH40343	Multiple vulnerabilities in IBM HTTP Server (CVE-2021-40438, CVE-2021-34798, CVE-2021-39275) https://www.ibm.com/support/pages/node/6493841 https://www.ibm.com/support/pages/node/6493845
	PH39660	IHS may crash at startup in the sigaction() system call
	PH39916	Omit plug-in keystore from IHS SMPE installations
	PH39992	TLSv13 connections may fail with SSL0209E errors reported in the log on z/Linux
	PH40554	SMPJHOME serviceability update to error messages
	PH40691	Shrink window for mod_unique_id duplicates
	PH40725	Avoid possible crashes when graceful restarts are requested rapidly / during startup.
	PH40832	Upgrade GSKit to 8.0.55.25
	PH41432	Windows IHS archive:s Fix plug-in path generated by postinst.bat

Note:

IBM HTTP Server 9.0.5.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.51.
IBM HTTP Server 9.0.5.10 with interim fix PH42862 (PTF UI78904) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.

Fix Pack 9 (9.0.5.9)
Fix release date: 10 September 2021 Last modified: 10 September 2021 Status: Superseded Download Fix Pack 9.0.5.9 This fix pack is delivered for z/OS with APAR/PTF: PH40044 / UI7696.	Back to Top

Security APAR	APAR	Description
	PH38515	ErrorDocuments that specify literal strings are not translated correctly (z/OS only).
	PH38112	Conditionally reduce severity of SSL0405E message for sockets that are already in lingering close.
	PH37899	If mod_backtrace is not loaded, dump a backtrace during whatkilledus report (Linux only).
	PH36870	Disable the TLS protocols TLSv10 and TLSv11 by default. Remove TLSv1.3 CCM ciphers from defaults.

Note:

IBM HTTP Server 9.0.5.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48.
IBM HTTP Server 9.0.5.9 with interim fix PH42862 (PTF UI78904) contains all applicable security fixes in Apache HTTP Server versions up through 2.4.52.

Fix Pack 8 (9.0.5.8)
Fix release date: 18 June 2021 Last modified: 18 June 2021 Status: Superseded Download Fix Pack 9.0.5.8 This fix pack is delivered for z/OS with APAR/PTF: PH37767 / UI7584.	Back to Top

Security APAR	APAR	Description
✓	PH35771	Multiple vulnerabilities in IBM HTTP Server (CVE-2020-13938, CVE-2021-30641) https://www.ibm.com/support/pages/node/6463587
	PH35915	Upgrade bundled GSKit security library to 8.0.55.21
	PH35107	Possible crash with StrictHostCheck
	PH36939	z/OS module updates
	PH34420	Server fails to start when SSLCipherSpec 30 is set in httpd.conf
	PH34246	ErrorLogFormat may not be used by some startup messages
	PH33679	SSLCLientAuth doesn't work with 'noverify' and 'crl' together.

Note: IBM HTTP Server 9.0.5.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.48.

Fix Pack 7 (9.0.5.7)
Fix release date: 26 March 2021 Last modified: 26 March 2021 Status: Superseded Download Fix Pack 9.0.5.7 This fix pack is delivered for z/OS with APAR/PTF: PH35153 / UI7446.	Back to Top

Security APAR	APAR	Description
	PH29569	Support 'CertificateUsername' without authentication
	PH30270	Allow SSL IOVEC merging to be disabled
	PH30598	Support '-RSA' pseudo-cipher in SSLCipherSpec to remove ciphers with RSA key exchange
	PH30795	Delays with large PKCS11 keystores (GSKit upgrade to 8.0.55.19)
	PH30841	Provide a flag to disable TLS close_notify alert on Apache socket close
	PH30854	Rewrite backreference escaping needs flexibility
	PH31169	Adjust SSL0200E with GSK_ERROR_PROTOCOL_MISMATCH
	PH31409	Can't set SSLV3TIMEOUT with TLS13
	PH32229	Provide automatic graceful termination of processes reporting SSL0209E/SSL0212E/SSL0203E

Note: IBM HTTP Server 9.0.5.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.

Fix Pack 6 (9.0.5.6)
Fix release date: 27 November 2020 Last modified: 27 November 2020 Status: Superseded Download Fix Pack 9.0.5.6 This fix pack is delivered for z/OS with APAR/PTF: PH31572 / UI7261.	Back to Top

Security APAR	APAR	Description
	PH27406	Software license swidtag files are not included in the IHS archive installs
	PH27739	SSL0401E during 'apachectl stop'
	PH28073	IBM HTTP Server on Windows crashes at startup with rare LoadModule value
	PH28389	install_ihs fails when ls alias is used
	PH29026	setupadmn fails if existing target user is not specified in /etc/passwd
	PH30541	9.0 install_ihs/install_plug-in error with WAS 855
	PH30660	Install Visual C++ Redistributable 2013 needed by IHS on Windows

Note: IBM HTTP Server 9.0.5.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.

Fix Pack 5 (9.0.5.5)
Fix release date: 04 September 2020 Last modified: 04 September 2020 Status: Superseded Download Fix Pack 9.0.5.5 This fix pack is delivered for z/OS with APAR/PTF: PH28542 / UI7123.	Back to Top

Security APAR	APAR	Description
	PH24262	postinst reports wrong port number
	PH24265	Allow mpmstats to write to zOS system log
	PH24402	Post Installer for IHS archive should fail if postinst fails
	PH24557	Default cipher specs used with SSLCipherSpec ALL -CIPHER_SPEC
	PH26048	Add additional information to AH01220 for CGI script timeout

Note: IBM HTTP Server 9.0.5.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.46.

Fix Pack 4 (9.0.5.4)
Fix release date: 12 June 2020 Last modified: 12 June 2020 Status: Superseded Download Fix Pack 9.0.5.4 9.0.5.4 is delivered for z/OS with APAR/PTF: PH25610 / UI6982.	Back to Top

Security APAR	APAR	Description
✓	PH21992	Multiple vulnerabilities in IBM HTTP Server (CVE-2020-1927, CVE-2020-1934) https://www.ibm.com/support/pages/node/6191631
	PH20989	Expose SAN fields in client certificates
	PH21717	Relax hostname validation in IBM HTTP Server
	PH21804	SSL0212E with TLS1.3 when SSLV3Timeout expires
	PH22727	Keepalive connections may be closed up to 100ms early
	PH23344	Error during script to apply a IHS PTF doesn't cause the PTF apply to fail
	PH23397	SSLClientAuthVerify OFF improvement for expired certificates
	PH23551	CGI error handling improvement
	PH23596	bin/rotatelogs not shipped with program control
	PH23893	Add 64-bit IHS for Windows to IIM
	PH24493	SSL0209E with IHS 9.0.5.2 and later (GSKit upgrade to 8.0.55.15)

Note: IBM HTTP Server 9.0.5.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.43.

Fix Pack 3 (9.0.5.3)
Fix release date: 20 March 2020 Last modified: 20 March 2020 Status: Superseded Download Fix Pack 9.0.5.3 9.0.5.3 is delivered for z/OS with APAR/PTF: PH23038 / UI6832.	Back to Top

Security APAR	APAR	Description
	PH19074	Provide extended diagnostics for SSL0279E errors
	PH20613	SSL0232W with SSLFIPSEnable
	PH20970	Improve Request header modification flexibility

Note: IBM HTTP Server 9.0.5.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.

Fix Pack 2 (9.0.5.2)
Fix release date: 13 December 2019 Last modified: 13 December 2019 Status: Superseded Download Fix Pack 9.0.5.2 9.0.5.2 is delivered for z/OS with APAR/PTF: PH19272 / UI6665.	Back to Top

Security APAR	APAR	Description
	PH13105	Upgrade bundled GSKit security library
	PH17056	Request for dataset with encoded characters returns 404 when using SAFRunAsEarly (z/OS only)
	PH17128	Add TLS 1.3 support for IBM HTTP Server and the WebSphere Application Server WebServer plug-in
	PH17652	Truncated responses that fail with GSK_INVALID_BUFFER_SIZE in IBM HTTP Server
	PH18102	Improve multi-certificate support in IBM HTTP Server 9.0

Note: IBM HTTP Server 9.0.5.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.

Fix Pack 1 (9.0.5.1)
Fix release date: 20 September 2019 Last modified: 20 September 2019 Status: Superseded Download Fix Pack 9.0.5.1 9.0.5.1 is delivered for z/OS with APAR/PTF: PH16280 / UI6533.	Back to Top

Security APAR	APAR	Description
✓	PH14974	Multiple vulnerabilities in IBM HTTP Server (CVE-2018-20843, CVE-2019-10092, CVE-2019-10098) https://www.ibm.com/support/pages/node/964768
	PH10089	install-ihs -group should make more directories group writeable (z/OS only)
	PH10103	Enable RLimitCPU on z/OS. (z/OS only)
	PH10382	Enable TLSV1.2 under SSLFIPSEnable
	PH12421	AuthLDAPURL not allowing specification of RACFID unless user has RACF search permission (z/OS only)
	PH13615	IBM HTTP Server 9.0 should allow relative URL in redirects.

Note: IBM HTTP Server 9.0.5.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.41.

Refresh Pack (9.0.5)
Fix release date: 28 June 2019 Last modified: 28 June 2019 Status: Superseded Download Refresh Pack 9.0.5.0 9.0.5.0 is delivered for z/OS with APAR/PTF: PH13435 / UI6383.	Back to Top

Security APAR	APAR	Description
✓	PH09869	Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211, CVE-2019-0220) https://www-01.ibm.com/support/docview.wss?uid=ibm10880413
	PH07089	Suppress parsing of $-prefixed variables in SSI (embeds). (z/OS only)
	PH07275	Unable to change service description of an 'IBM HTTP Server' service on Windows
	PH08035	Improve IHS logs on z/OS to show installation details. (z/OS only)
	PH09519	Allow MVSDS to only use the last qualifier of a dataset name for mime extension checking. (z/OS only)
	PH12690	Add the mod_request module for z/OS. (z/OS only)

Note: IBM HTTP Server 9.0.5.0 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.39.

Fix Pack 11 (9.0.0.11)
Fix release date: 05 April 2019 Last modified: 05 April 2019 Status: Superseded Download Fix Pack 11 This fix pack is delivered for z/OS with APAR/PTF: PH10037 / UI6211.	Back to Top

Security APAR	APAR	Description
✓	PH06010	Security vulnerability in the IBM HTTP Server (CVE-2018-17199) (Distributed only) http://www-01.ibm.com/support/docview.wss?uid=ibm10869064
	PH02406	Need simpler way to reject unknown hostnames
	PH02448	Improve mod_status output for event MPM
	PH03059	ABENDEC6 RC FF0F seen at server startup using rotatelogs (z/OS only)
	PH03953	'Server reached MaxRequestWorkers' message is issued while idle threads are available
	PH05560	Using multiple environment variables in a directive doesn't work
	PH05575	Postinst logs unexpected message when failed to find an FQDN
	PH05852	Allow headers to be unset using regex

Note: IBM HTTP Server 9.0.0.11 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.38.

Fix Pack 10 (9.0.0.10)
Fix release date: 14 December 2018 Last modified: 14 December 2018 Status: Superseded Download Fix Pack 10 This fix pack is delivered for z/OS with APAR/PTF: PH06005 / UI60127	Back to Top

Security APAR	APAR	Description
	PH01222	Timeout setting for OCSP on IBM HTTP Server
	PH01302	Accept SHA2 cert chains in LDAP connections

Note: IBM HTTP Server 9.0.0.10 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.37.

Fix Pack 9 (9.0.0.9)
Fix release date: 21 September 2018 Last modified: 21 September 2018 Status: Superseded Download Fix Pack 9 This fix pack is delivered for z/OS with APAR/PTF: PH02525 / UI5847.	Back to Top

Security APAR	APAR	Description
	PI95964	Add mod_cgi directive to allow users to configure timeouts for CGI applications
	PI96156	SSL fails with multiple addresses in single VirtualHost
	PI96321	Update embedded LDAP SDK to 6.4.x
	PI96949	The file time stamp format of IHS 9.0 is different from IHS 8.5
	PI96955	Allow mod_substitute for proxied responses
	PI97314	Add mod_backtrace for Windows
	PI98116	PDB files are not shipped for plug-in and `odrlib` in the Windows archive installer.
	PI98146	Only create rewrite map lock if RewriteMaps are used.
	PI98147	Print unparsed URI in the 'URI incorrectly encoded' error message
	PI98705	HTML-encoded SSI variable double-encoded when moving to IHS 9.0
	PI99032	SSL alerts not showing in log messages
	PI99262	Reduce memory used by persistent connections
	PI99271	AuthzProviderAlias ignoring all Require-Parameters except first one.
	PI99394	IBM HTTP Server startup messages not switching to Errorlog (z/OS only)
	PI99567	HTTPProtocolOptions improvements
	PI99680	rotatelogs description should include option -n
	PI99685	HTTPProtocolOptions=unsafe should allow a space in a header
	PH00889	LeaveWorkUnit errors with mod_wlm (z/OS only)

Note: IBM HTTP Server 9.0.0.9 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.34.

Fix Pack 8 (9.0.0.8)
Fix release date: 29 June 2018 Last modified: 29 June 2018 Status: Superseded Download Fix Pack 8 This fix pack is delivered for z/OS with APAR/PTF: PI99702 / UI5692.	Back to Top

Security APAR	APAR	Description
✓	PI94222	Multiple vulnerabilities in GSKit bundled with IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22015347
✓	PI95670	Multiple vulnerabilities in IBM HTTP Server (CVE-2017-15710, CVE-2017-15715,CVE-2018-1301) http://www-01.ibm.com/support/docview.wss?uid=swg22015344
	PI91850	MVSDS does not list member contents when using relative generation number to create a member list with PDS/PDSE GDG (z/OS only)
	PI91975	The 'Header unset Content-Type' directive does not unset the Content-Type response header.
	PI92017	Include CGI program name when writing stderr to the error log when using mod_cgi
	PI92053	Let child processes avoid graceful shutdown if ECONNREFUSED, ECONNABORTED, ECONNRESET occur during client accept().
	PI92092	FSUM6245 seen when upgrading IHS to a new fix pack and using an intermediate symbolic link (z/OS only)
	PI92407	Log startup message for low 64-bit MEMLIMIT
	PI93212	Throttle SSL0600E error messages
	PI94050	High CPU/Hang with IHS mod_auth_basic LDAP
	PI94539	mod_proxy_http does not allow headers larger than 8K bytes.
	PI95610	Namespace collision when mod_ibm_ssl.so is loaded alongside libodr.so.

Note: IBM HTTP Server 9.0.0.8 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.33.

Fix Pack 7 (9.0.0.7)
Fix release date: 16 March 2018 Last modified: 16 March 2018 Status: Superseded Download Fix Pack 7 This fix pack is delivered for z/OS with APAR/PTF: PI94851 / UI5433.	Back to Top

Security APAR	APAR	Description
✓	PI90598	CVE-2017-12613 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22013598
	PI90688	gskcapicmd on Linux not working in IHS V9
	PI90811	rotatelogs fails with relative paths in IBM HTTP Server V9
	PI91038	When client and IHS don't support the same SSL/TLS version, IHS logged incorrect message in error log
	PI91075	Add environment variable to record "SSLVersion" failure
	PI91351	Add toleration for TLS certificate extension InhibitAnyPolicy marked as non-critical
	PI91720	HTTPS download of IHS archive install from Fix Central results in uncompressed file with misleading name

Note: IBM HTTP Server 9.0.0.7 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.29.

Fix Pack 6 (9.0.0.6)
Fix release date: 21 December 2017 Last modified: 21 December 2017 Status: Superseded Download Fix Pack 6 This fix pack is delivered for z/OS with APAR/PTF: PI91366 / UI5273.	Back to Top

Security APAR	APAR	Description
✓	PI87445	CVE-2017-9798 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782
✓	PI87663	CVE-2017-12618 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22009782
	PI84868	Disable the 3DES cipher by default in IBM HTTP Server.
	PI85561	SSL Fallback Protection related errors with SSLProxyEngine ON
	PI85702	SAFRunAs %%CERTIF%% asks for basic auth credentials
	PI85804	Improve password failure error messages in authnz_saf
	PI87046	Microsoft Windows large address support was not ported in IBM HTTP Server 9.0.0.4
	PI88232	Allow the server to handle requests with obsolete folds containing only spaces and/or tabs after PI73984.
	PI88356	Default ciphers with SSLFIPSEnable are System SSL defaults instead of IHS defaults.
	PI88553	Print an error message that includes the errno and errno2 values if fail to find a specified saf-group.
	PI90141	IBM HTTP Server may hang at startup on z/Linux running on z14 hardware - upgrade GSKit to 8.0.50.84
	PI90834	abendoc4 in apr_pstrcat using saf-change-pw handler

Note: IBM HTTP Server 9.0.0.6 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.29.

Fix Pack 5 (9.0.0.5)
Fix release date: 17 October 2017 Last modified: 13 October 2017 Status: Superseded Download Fix Pack 5 This fix pack is delivered for z/OS with APAR/PTF: PI87801 / UI50746.	Back to Top

Security APAR	APAR	Description
✓	PI82260	CVE-2017-3167 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280
✓	PI82263	CVE-2017-7668 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280
✓	PI82481	CVE-2017-7679 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg22005280
	PI80356	Upgrade bundled GSKit security library (Distributed only)
	PI81360	Allow SSL_/TLS_ prefixes to be used interchangeably for cipher long names
	PI81602	Issues with updating SAF password when using Firefox or Chrome (z/OS only)
	PI82760	Unable to launch ikeyman on the IBM HTTP Server side.
	PI82834	Add a simple PCT alternative for IBM HTTP Server with Liberty.
	PI83167	Support for binary-only install via IHS_SKIP_POSTINST environment variable.
	PI83257	Reduce memory usage from long mod_rewrite configurations.
	PI83350	Add jobname and job id to SMF 103 records for IBM HTTP Server (z/OS only)

Note: IBM HTTP Server 9.0.0.5 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.27.

Fix Pack 4 (9.0.0.4)
Fix release date: 13 June 2017 Last modified: 13 June 2017 Status: Superseded Download Fix Pack 4 This fix pack is delivered for z/OS with APAR/PTF: PI82358 / UI47689.	Back to Top

Security APAR	APAR	Description
	PI73043	Upgrade bundled GSKit security library (Distributed only)
	PI74780	Allow IBM HTTP Server 9.0 on AIX 6.1
	PI75835	ABEND0C4 in IBM HTTP Server 9.0 using -v option with rotatelogs (z/OS only)
	PI76757	Allow SSL handshake transcripts to be enabled or disabled
	PI76874	Further enhancements to PI50937 high cpu avoidance
	PI76918	'Permission denied' errors after maintenance upgrade of IBM HTTP Server on z/OS (z/OS only)
	PI77337	IHS LDAP connection with SSL not working
	PI77697	IBM HTTP Server 9.0 install not creating service correctly on Microsoft Windows
	PI78442	Some sequences of server-side includes mixing '#include virtual=' and '#include file=' result in a HTTP 400 error.
	PI78696	SSL handshake failure between IHS/Proxy to backend IHS/Plug-in
	PI78716	File is not translated using MVSDS if content-encoding is used with IBM HTTP Server 9.0 (z/OS only)
	PI78967	Allow CEEDUMPS to be requested with kill -USR2 (z/OS only)
	PI80106	500 Internal error with `'AH01328: Line too long'` (z/OS only)
	PI80187	Redirect functionality not working as expected for MVSDS requests (z/OS only)
	PI80447	Disable MMAP for static files by default on z/OS (z/OS only)

Note: IBM HTTP Server 9.0.0.4 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.25.

Fix Pack 3 (9.0.0.3)
Fix release date: 14 March 2017 Last modified: 14 March 2017 Status: Superseded Download Fix Pack 3 This fix pack is delivered for z/OS with APAR/PTF: PI77285 / UI45080.	Back to Top

Security APAR	APAR	Description
✓	PI73984	CVE-2016-8743 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21996847
	PI70372	mod_mvsds serves a plain text file as an html page if it contains any string starting with a '<' and ending with a '>'.
	PI70496	Startup failures when 'SSLEnable' is specified globally instead of within a VirtualHost.
	PI70825	Simplify mod_ibm_ssl trace enabling in IBM HTTP Server 9.0
	PI70829	Provide additional message information for IBM HTTP Server TLS handshakes
	PI71340	Update ikeyman/gskcmd wrappers for IBM HTTP Server 8.5.5 and 9.0 with embedded Java 8.
	PI72989	Hangs related to mod_backtrace and mod_whatkilledus during a crash.
	PI73027	Crash with combination of mod_net_trace loaded and 'EnableSendfile ON' in httpd.conf.
	PI73165	High cpu encountered when directive EnableSendfile is set to On
	PI73661	Session ID Daemon (sidd) memory leak
	PI73819	Allow an extended syntax for the SSLCipherSpec directive on z/OS
	PI73951	mod_zos_cmds incorrectly reports the number of lingering close connections as zero.
	PI74200	Connection resets under heavy load when connecting to IHS on z/OS.

Note: IBM HTTP Server 9.0.0.3 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.25.

Fix Pack 2 (9.0.0.2)
Fix release date: 13 December 2016 Last modified: 13 December 2016 Status: Superseded Download Fix Pack 2 This fix pack is delivered for z/OS with APAR/PTF: PI72454 / UI42701.	Back to Top

Security APAR	APAR	Description
✓	PI66849	CVE-2012-0876, CVE-2012-1148, CVE-2016-4472 expat vulnerability fixes for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026
	PI66468	bin\ikeyman.bat and bin\gskcmd.bat don't work when IHS install path contains spaces
	PI66787	Session cache daemon (sidd) memory leak
	PI66931	Upgrade bundled GSKit security library to resolve TLS > 1.2 negotiation intolerance.
	PI67595	AuthSAFExpiration and AuthSAFReenter do not work when using a 401 errordocument (z/OS only)
	PI68001	Add ability for the MVS stop command to do a graceful shutdown of the server (z/OS only)
	PI68803	IHS on z/OS CPU usage increases in release 8.5.5.5 or beyond (z/OS only)
	PI69081	gskver, ikeyman, gskcapicmd, and gskcmd scripts do not work in IBM HTTP Server 9.0.0.1
	PI69182	IBM HTTP Server 9.0 SSL cipher defaults may be displayed incorrectly on z/OS (z/OS only)
	PI69979	Accept non strictly-conforming X509 certificates in IBM HTTP Server 9.0
	PI70022	Allow IBM HTTP Server on Linux to automatically raise ulimit -n to accomodate larger ThreadsPerChild

Note: IBM HTTP Server 9.0.0.2 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.23.

Fix Pack 1 (9.0.0.1)
Fix release date: 16 September 2016 Last modified: 16 September 2016 Status: Superseded Download Fix Pack 1 This fix pack is delivered for z/OS with APAR/PTF: PI68703 / UI40714.	Back to Top

Security APAR	APAR	Description
✓	PI63098	CVE-2016-0718 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988026
✓	PI65855	CVE-2016-5387 for IBM HTTP Server http://www-01.ibm.com/support/docview.wss?uid=swg21988019
	PI60251	mod_mvsds writes content as binary instead of text/plain (z/OS only)
	PI60784	IBM HTTP Server directives SSLCipherBan and SSLCipherRequire may crash when GSKit tracing is enabled
	PI62663	Some Server Side Includes (SSI) may not be translated as expected (z/OS only)
	PI63482	Add a private header with password change information for 401 response.
	PI63682	IHS mod_status displays many 'NULL' strings in request column
	PI64346	SetEnvIf may be skipped with SAF auth enabled (z/OS only)
	PI64628	IBM HTTP Server on Z/OS is deleting the wrong message queue (z/OS only)
	PI66153	XML datasets with no XML extension cause error under mod_mvsds (z/OS only)
	PI66183	When MFA is configured, SAFRunAs fails with a permission error (z/OS only)

Note: IBM HTTP Server 9.0.0.1 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.23.

9.0.0.0 (9.0.0.0-PI56034)
Fix release date: 24 June 2016 Last modified: 24 June 2016 Status: Superseded Download 9.0.0.0 This release was delivered for z/OS as an IM (Installation Manager) installed version only. For SMPE install, these contents were not available until 9.0.0.1.	Back to Top

Security APAR	APAR	Description
	PI53754	Using MVSDS to retrieve a GDG(0) always returns the same file, even after a new generation is created (z/OS only)
	PI56034	No equivalent functionality for DGW AlwaysWelcome directive in IHS on z/OS (z/OS only)
	PI56576	Incorrect image path in .css file causes image to not display
	PI57543	Allow one address space per rotatelogs process to be conserved. (z/OS only)
	PI57596	CRIHS0001I may contain garbage information or not pick up HTTPS port (z/OS only)
	PI58218	IBM HTTP Server mod_cache fixes
	PI59561	Add pre/post password hooks to mod_authnz_saf
	PI60207	Upgrade bundled GSKit security library to 8.0.50.61

Note: IBM HTTP Server 9.0.0.0 contains all applicable security fixes in Apache HTTP Server versions up through 2.4.20.

9.0.0.0-PI54808
Fix release date: 02 March 2016 Last modified: 02 March 2016 Status: Superseded This release was not delivered for distributed platforms or with WebSphere Application Server. It was delivered for z/OS only via APAR/PTF: PI56777 / UI35362.	Back to Top

Security APAR	APAR	Description
	PI48857	Some headers are removed when caching is enabled
	PI50376	DGW compatibility for DOCUMENT_* CGI variables. (z/OS only)
	PI50397	No error log entries for 'SAFRunAs %%CERTIF_REQ%%' failures. (z/OS only)
	PI50514	SSL session ID cache daemon (SIDD) creates unnecessary entries
	PI51185	Enhancements allowing use of SAFRunAsEarly for certificate switching (z/OS only)
	PI52301	Reduce reads to /dev/random causing CSFSERV CSFRNG access (z/OS only)
	PI54808	RewriteRule sees un-decoded characters in URL when mod_authnz_saf loaded (z/OS only)

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0;9.0.5","Line of Business":{"code":"LOB45","label":"Automation"}}]

Was this topic helpful?

Document Information

More support for:
IBM HTTP Server

Component:
IHS

Software version:
9.0.0, 9.0.5

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS

Document number:
617655

Modified date:
13 June 2025

UID

swg27048481

IBM Support

Tips

Fix list for IBM HTTP Server Version 9.0

Product Documentation

Abstract

Content

IBM HTTP Server is vulnerable to information disclosure due to the included Apache HTTP Server (CVE-2023-31122)

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?