This interim fix upgrades the GSKit shipped with IBM HTTP Server to resolve the CVE-2013-6329 vulnerability.
PI05309 resolves the following problem:
IBM HTTP Servers using SSL
Potential denial of service vulnerability in handshake processing in IBM HTTP Server.
Apply this fix if using IHS with SSL.
Disabling the SSLv3 Session cache will circumvent this issue,
but may lead to higher CPU usage.
For additional information, refer to the Security Bulletin for this issue:
The GSKit security library was updated to resolve the exposure.
The fix is targeted for IBM HTTP Server fixpacks:
IBM HTTP Server is distributing an updated GSKit security library as an interim fix.
No configuration is required once GSKit is updated to 184.108.40.206 or 220.127.116.11.
Note: For IHS 8.5.5, the fix is in the 18.104.22.168 fixpack , but "CVE-2013-6329" will not be listed in
the '-V' output until the 22.214.171.124 fixpack.
For IHS version 8.0 and 8.5:
The interim fix can be installed using Installation Manager (IM) with the Web-based ("live") repository provided by IBM. It is necessary to de-select the "Show recommended only" option within IM and to expand "Only fixes for version 8.x.y.z" to see the fix listed.
The interim fix is also available from Fix Central at the link listed in the Download Package section below.
For IHS versions prior to 8.0:
This standalone GSKit update has been published to the IBM HTTP Server Fixes download site,
and are located under the 'GSKit Version 7' section for your platform. Click 'here' to be taken to the login page.
For IBM HTTP Server 6.x releases, download the GSKit 126.96.36.199 package and Readme
under the section labeled 'PI05309 - IHS Version 6'
For IBM HTTP Server 7.0 releases, download the GSKit 188.8.131.52 package and Readme
under the section labeled 'PI05309 - IHS Version 7'
Review the readme.txt available with the fix for installation instructions.
IMPORTANT NOTE: This fix has been superseded by PI09443. It is highly recommended that you install that fix instead of the one available for this APAR. The GSKit installed by that interim fix is newer and also includes the fix for PI05309.
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
15 June 2018