IBM Support

IBM HTTP Server latest cumulative security interim fix

Download


Downloadable File

File linkFile sizeFile description
   
   
   
   
   

Abstract

This page is updated over time to provide download links to the most recent Cumulative Security Interim Fix (CSIF) for IBM HTTP Server 8.5.5 and 9.0.5.

Each CSIF supersedes (replaces) prior fixes. Information about the content of superseded fixes is maintained for approximately 1 year. For an explanation of how fixes are managed over time, refer to the FAQ at the bottom of this page.

Download Description

This download resolves the following security bulletin(s):


IFPH70572 resolves the following problems:

  • CVE-2026-32776, CVE-2026-32777, CVE-2026-32778
    • mod_dav loaded (extremely uncommon)

This download additionally supersedes (includes) the following recent fixes where applicable:
 

IFPH67153 resolved the following problem:
 
  • CVE-2024-43394
    • Vulnerable Configurations: IHS on Windows with RewriteCond or Apache Expression Parser expressions that are tricked into looking up remote UNC file paths through use of unary file operators (-d, -f)
  • CVE-2024-42516
    • Vulnerable Configurations: mod_proxy loaded and backend application that can be tricked into setting an attacker controlled Content-Type header
  • CVE-2024-43204
    • Vulnerable Configurations: mod_proxy loaded and `Header` directive in the IHS configuration that sets Content-Type to values computed from user controlled variables/expressions
IFPH67414 resolved the following additional problem (9.0 only)
  • CVE-2025-54090
    • Vulnerable Configurations: `RewriteCond` directive with first argument of the literal "expr" and the condition is used for some security purpose.  Only applicable to 9.0 with IFPH67153 installed.
IFPH68462 resolved the following additional problems
  • CVE-2025-58098
    • Affected Configurations: mod_include and mod_cgid (but not mod_cgi) modules loaded
  • CVE-2025-59775
    • Affected Configurations: Windows with both of the following non-default directives:  "AllowEncodedSlashes ON" and "MergeSlashes OFF" (extremely uncommon)
  • CVE-2025-65082
    • Affected Configurations: mod_cgi or mod_cgid loaded and htaccess enabled with AllowOverride other than "none" above CGI root.  
  • CVE-2025-66200
    • Affected Configurations: mod_userdir and mod_suexec both loaded AND $IHS_HOME/bin/suexec added by administrator (extremely uncommon)
  • CVE-2025-59375
    • mod_dav loaded (extremely uncommon)

 

Prerequisites

None

Download Package

IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.  

Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. 
 

IBM Installation Manager packages

DOWNLOADRELEASE DATE

URL

9.0.5.27-WS-WASIHS-IFPH7057230 March 2026FC
9.0.5.26-WS-WASIHS-IFPH7057230 March 2026FC
9.0.5.25-WS-WASIHS-IFPH7057230 March 2026FC
8.5.5.29-WS-WASIHS-IFPH7057230 March 2026FC
8.5.5.28-WS-WASIHS-IFPH7057230 March 2026FC

Archive packages (no IM)

DOWNLOADRELEASE DATE

URL

9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP027-IFPH7057230 March 2026FC
9.0.5-WS-IHS-ARCHIVE-win-x86-FP027-IFPH7057230 March 2026FC
9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP027-IFPH7057230 March 2026FC
9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP027-IFPH7057230 March 2026FC
9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP027-IFPH7057230 March 2026FC
9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP027-IFPH7057230 March 2026FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH70572, PH68462, PH67414, PH67153, PH61590, PH61893, PH62263, PH66956

Change History

Change History

  • 28 July 2025: Add 8.5.5.28 fixes.
  • 05 Aug 2025: Supersede 9.0 fixes with IFPH67414
  • 15 Dec 2025: Supersede fixes with IFPH68462 due to new CVES.
  • 21 Jan 2026: Add IFPH69573 zOS fix for 9.0.5.26
  • 31 Mar 2026: Supersede IFPH68462 with IFPH70572

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

FAQ

  1. Why is this such a long-lived page with so many separate APARS and interim fixes?

    IHS has very few separately serviceable parts, so generally each interim fix supersedes the previous ones. 

    To avoid confusion, when we supersede an interim fix, we remove the old one from Fix Central and update the download document (this page) of the superseded fix with information about the new APAR and the new cumulative interim fix downloads.

    Each fix contains metadata listing which APARS it resolves.  
  2. This is all very confusing, can you provide an series of events that illustrates how it's managed?

    In chronological order, consider these events:
    1. No bulletins are issued for IHS for 12 months
    2. FixPack 9.0.5.20 is released
    3. A bulletin is issued for IHS for CVE-XXXX-0001 and is assigned APAR PH00001. 

      Simultaneously, fixes for 9.0.5.20 and 9.0.5.19 are published and added to this page with an ID containing IFPH00001
    4. FixPack 9.0.5.21 is released and contains the fix for PH00001
    5. A bulletin is issued for IHS for CVE-XXXX-0020 and is assigned APAR PH00020.

      Simultaneously, fixes for 9.0.5.21 and 9.0.5.20 are published with an id of IFPH00020.

      The download links for IFPH00001 are removed from this page. In their place, the fixes for IFPH00020 are added.  The page continues to describe the problem of PH00001 since the 9.0.5.20 version of IFPH00020 still provides this fix.

      Shortly after the above, IFPH00001 is removed from Fix Central.  This ensure that a fix central search of PH00001 finds IFPH00020, the latest cumulative security interim fix.
       
  3. I'm using an older fix pack, can fixes be made available on top of older maintenance?

    In general fixes will not be ported farther back then what is initially published.  The prerequisite fix pack must be applied prior to the interim fix.
     

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd10AAC","label":"IBM HTTP Server\/WebSphere Plugin-All Platforms-\u003EIHS"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.5"}]

Problems (APARS) fixed
PH68462. PH67414, PH67153, PH61590, PH61893, PH62263, PH66956

Document Information

Modified date:
01 April 2026

UID

ibm17239806

Page Feedback