IBM Support

IBM HTTP Server latest cumulative security interim fix

Download


Downloadable File

File linkFile sizeFile description
   
   
   
   
   

Abstract

This page is updated over time to provide download links to the most recent Cumulative Security Interim Fix (CSIF) for IBM HTTP Server 8.5.5 and 9.0.5.

Each CSIF supersedes (replaces) prior fixes. Information about the content of superseded fixes is maintained for approximately 1 year. For an explanation of how fixes are managed over time, refer to the FAQ at the bottom of this page.

Download Description

IFPH71594 resolves the following problems:

View the Security Bulletin for PH71594 (June 16 2026)

CVE

Pervasiveness

Affected Configuration
CVE-2026-29167raremod_authnz_ldap loaded and LDAP config directives in .htaccess files.
CVE-2026-29170
CVE-2026-44186		raremod_proxy_ftp module loaded and configured.
CVE-2026-34356rareProxyPassReverseCookieMap directive and untrusted, compromised, or non-TLS backend servers.
CVE-2026-42535raremod_dav module loaded.
CVE-2026-43951rareNon-websphere (local) content and either of AddLanguage directive or mod_negotiation loaded.
CVE-2026-44119rare.htaccess enabled (AllowOverride other than None) and .htaccess files writable by untrusted users that may use expressions containing %{file:...} or file(...).
CVE-2026-44631rareRegular expressions with more than 128 captures in configuration, including .htaccess

 

This download additionally supersedes (includes) the following recent fixes and their corresponding security bulletins:
 

IFPH71265 resolves the following problems:

View the Security Bulletin for PH71265 (May 26 2026)

CVE

Pervasiveness

Affected Configuration
CVE-2026-9170commonConfigurations with SSLEnable directive
CVE-2026-8835
CVE-2026-8834		commonIHS Admin Server (mod_ibm_admin / adminctl)
CVE-2026-8855uncommonSSLCLientAuth directive with a value other than "0" or "None" (TLS mutual auth)
CVE-2026-8854uncommonmod_mem_cache module loaded
CVE-2026-8856uncommon
(SSLStasshFile is often used mistakently to point to the .sth that goes with a .kdb and this use is unaffected)

Configurations with both of the following:

  • SSLStashFile directive
  • Either of the following:
    • SSLPKCSDriver directive
    • SSLCRLHostname directive set to any value other than the literal "URI"
CVE-2026-8852raremod_fastcgi module loaded
CVE-2026-8850rare
(used by HCL Connections)		mod_ibm_upload module loaded 
CVE-2026-45186raremod_dav module loaded

 

IFPH71061 resolves the following problems:

View the Security Bulletin for PH71061 (May 11 2026)

  • CVE-2026-24072
    • IHS 9.0 configurations with AllowOverride set to values other than None and untrusted users writing .htaccess files (rare)
  • CVE-2026-33523
    • IHS deployments where the response from a backend server may contain a malicious HTTP status line (untrusted, compromise, or request intercepted).
  • CVE-2026-41080
    • IHS configurations with mod_dav loaded (rare)
    • n/a on zOS
  • CVE-2026-34059, CVE-2026-33857, CVE-2026-28780, CVE-2026-34032
    • IHS 8.5 configurations with mod_proxy_ajp loaded (rare)
    • n/a on zOS

IFPH70572 resolved the following problems:

View the Security Bulletin for PH70572 (April 1 2026) 

  • CVE-2026-32776, CVE-2026-32777, CVE-2026-32778
    • mod_dav loaded (extremely uncommon)

IFPH67153 resolved the following problem:

View the Security Bulletin for PH67153

  • CVE-2024-43394
    • Vulnerable Configurations: IHS on Windows with RewriteCond or Apache Expression Parser expressions that are tricked into looking up remote UNC file paths through use of unary file operators (-d, -f)
  • CVE-2024-42516
    • Vulnerable Configurations: mod_proxy loaded and backend application that can be tricked into setting an attacker controlled Content-Type header
  • CVE-2024-43204
    • Vulnerable Configurations: mod_proxy loaded and `Header` directive in the IHS configuration that sets Content-Type to values computed from user controlled variables/expressions

IFPH67414 resolved the following additional problem (9.0 only)

View the Security Bulletin for PH67414

  • CVE-2025-54090
    • Vulnerable Configurations: `RewriteCond` directive with first argument of the literal "expr" and the condition is used for some security purpose.  Only applicable to 9.0 with IFPH67153 installed.

IFPH68462 resolved the following additional problems

View the Security Bulletin for PH68462

  • CVE-2025-58098
    • Affected Configurations: mod_include and mod_cgid (but not mod_cgi) modules loaded
  • CVE-2025-59775
    • Affected Configurations: Windows with both of the following non-default directives:  "AllowEncodedSlashes ON" and "MergeSlashes OFF" (extremely uncommon)
  • CVE-2025-65082
    • Affected Configurations: mod_cgi or mod_cgid loaded and htaccess enabled with AllowOverride other than "none" above CGI root.  
  • CVE-2025-66200
    • Affected Configurations: mod_userdir and mod_suexec both loaded AND $IHS_HOME/bin/suexec added by administrator (extremely uncommon)
  • CVE-2025-59375
    • mod_dav loaded (extremely uncommon)

 

Prerequisites

None

Download Package

IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.  

Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. 

IBM Installation Manager packages

Notes: 
  1. FC stands for Fix Central and the links are downloadable Installation Manager repositories. Review the What is Fix Central (FC)? FAQs for more details.
DOWNLOADRELEASE DATE

URL

9.0.5.28-WS-WASIHS-IFPH7159416 June 2026FC
9.0.5.27-WS-WASIHS-IFPH7159416 June 2026FC
9.0.5.26-WS-WASIHS-IFPH7159416 June 2026FC
9.0.5.25-WS-WASIHS-IFPH7159416 June 2026FC
8.5.5.29-WS-WASIHS-IFPH7159416 June 2026FC
8.5.5.28-WS-WASIHS-IFPH7159416 June 2026FC

Archive packages (no IM)
Notes: 

  1. FC stands for Fix Central and the links are downloadable Installation Manager repositories. Review the What is Fix Central (FC)? FAQs for more details.
  2. Archives include WAS Plug-in APARs PH71342 and PH71376
DOWNLOADRELEASE DATE

URL

9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP028-IFPH7159416 June 2026FC
9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP028-IFPH7159416 June 2026FC
9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP028-IFPH7159416 June 2026FC
9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP028-IFPH7159416 June 2026FC
9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP028-IFPH7159416 June 2026FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH71594,PH71265,PH71061, PH70572, PH68462, PH67414, PH67153, PH61590, PH61893, PH62263, PH66956

Change History

Change History

  • 28 July 2025: Add 8.5.5.28 fixes.
  • 05 Aug 2025: Supersede 9.0 fixes with IFPH67414
  • 15 Dec 2025: Supersede fixes with IFPH68462 due to new CVES.
  • 21 Jan 2026: Add IFPH69573 zOS fix for 9.0.5.26
  • 31 Mar 2026: Supersede IFPH68462 with IFPH70572
  • 25 May 2026: Supersede IFPH71061 with IFPH71265 for Apache 2.4.67 CVES
  • 16 July 2026: Supersede IFPH71265 with IFPH71594 for Apache 2.4.68 CVES

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

FAQ

  1. Why is this such a long-lived page with so many separate APARS and interim fixes?

    IHS has very few separately serviceable parts, so generally each interim fix supersedes the previous ones. 

    To avoid confusion, when we supersede an interim fix, we remove the old one from Fix Central and update the download document (this page) of the superseded fix with information about the new APAR and the new cumulative interim fix downloads.

    Each fix contains metadata listing which APARS it resolves.  
  2. This is all very confusing, can you provide an series of events that illustrates how it's managed?

    In chronological order, consider these events:
    1. No bulletins are issued for IHS for 12 months
    2. FixPack 9.0.5.20 is released
    3. A bulletin is issued for IHS for CVE-XXXX-0001 and is assigned APAR PH00001. 

      Simultaneously, fixes for 9.0.5.20 and 9.0.5.19 are published and added to this page with an ID containing IFPH00001
    4. FixPack 9.0.5.21 is released and contains the fix for PH00001
    5. A bulletin is issued for IHS for CVE-XXXX-0020 and is assigned APAR PH00020.

      Simultaneously, fixes for 9.0.5.21 and 9.0.5.20 are published with an id of IFPH00020.

      The download links for IFPH00001 are removed from this page. In their place, the fixes for IFPH00020 are added.  The page continues to describe the problem of PH00001 since the 9.0.5.20 version of IFPH00020 still provides this fix.

      Shortly after the above, IFPH00001 is removed from Fix Central.  This ensure that a fix central search of PH00001 finds IFPH00020, the latest cumulative security interim fix.
       
  3. I'm using an older fix pack, can fixes be made available on top of older maintenance?

    In general fixes will not be ported farther back then what is initially published.  The prerequisite fix pack must be applied prior to the interim fix.
     

  4. What does "pervasiveness" mean in the table of CVES for each ifix?

    It refers to how common we believe the affected configuration is.

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IBM HTTP Server\/WebSphere Plugin-All Platforms-\u003EIHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.5"}]

Problems (APARS) fixed
PH71342, PH68462, PH67414, PH67153, PH61590, PH61893, PH62263, PH66956, PH71265, PH71594

Document Information

Modified date:
16 June 2026

UID

ibm17239806

Page Feedback