PK27875; 1.3.28.1: IBM HTTP Server 1.3.26 and 1.3.28
cumulative e-fix
Downloadable files
Abstract
CVE-2005-3918, CVE-2006-3747 security exposures and other
problems resolved after PK16139.
Download Description
ERROR DESCRIPTION:
This interim fix corrects several problems which were resolved after the
previous interim fix, PK16139.
USERS AFFECTED:
IBM® HTTP SERVER 1.3.26.2/1.3.28.1 users
PROBLEM DESCRIPTION:
CVE-2005-3918, CVE-2006-3747 security exposures and other problems
resolved after PK16139.
RECOMMENDATION:
This cumulative fix is recommended for all installations because
CVE-2006-3918 (PK24631) is a potential concern regardless of
configuration.
1.3.26.2 fixes which are new with this interim fix:
- PK19060 Retry connection to LDAP server immediately after connection
drop
- PK24631 CVE-2006-3918 Escape value of Expect header in error response to
invalid Expect
- PK28587 LDAP cache expiration time was not always honored
- CMVC 84947 Fix crash in mod_ibm_ssl when using client certificate
authentication
- CMVC 84949 Fix crash in mod_ibm_ssl when SSL debug trace is enabled and
client certificate validation is configured.
Note: CVE-2006-3747 (PK29157) does not apply to 1.3.26.2 because the
defect does not exist in that release.
1.3.26.2 fixes which were in previous interim fixes:
- PK13959 CVE-2005-2088 HTTP proxy vulnerability
- CVE-2005-3352 mod_imap cross-site scripting vulnerability
- resolve Linux/x86 startup failures when /etc/nsswitch.conf specifies
LDAP for name resolution, caused by dropped library support in RedHat
Advanced Server 3.0 Update 4 and SLES 9
- mod_ibm_ldap: When user id is locked, return 401 instead of 503 and
record the problem in error log
- mod_ibm_ldap: Provide LdapReferralHopLimit directive to control how many
referrals are allowed
- mod_ibm_ldap: improve tracing
- allow mod_net_trace to trace writev error
- mod_ibm_ssl on Linux and Unix: resolve double-free error when
interfacing with sidd
- Linux for pSeries and zSeries: Remove dependency on external expat
library
- PK07747: IHS VIRTUAL HOST NO LONGER WORKS AFTER INSTALLATION OF
MICROSOFT SECURITY PATCH MS05-019
- PK05084 CAN-2004-0940 mod_include possible buffer overflow
- Track active plug-in module when ExtendedStatus is On.
"/server-status/?showmodule" can display it.
- Unix: Log errno string for sidd connect failures
- CAN-2003-0987 mod_digest nonce exposure
- CAN-2002-0843 ab exposure
- CAN-2003-0020 Strip control characters before logging to ErrorLog
- PK03424 Windows: Fix mod_rewrite RewriteLog reliability problem on
Windows
- mod_log_config sometimes logged "0" instead of "-" for %b format
- AIX: enable full core dump automatically for httpd crashes
- AIX: set default AcceptMutex type to fcntl instead of pthread
- Fix child process crash in ap_bhalfduplex().
- PQ92124 HTTP POSTs fail or hang when Afpa is enabled; When Afpa is
enabled on Windows, HTTP POST requests may occasionally appear to hang and
eventually time out with an error.
- PQ89899 CAN-2004-0492 crash in mod_proxy
- PQ76168 CAN-2003-0460 rotatelogs problem on Windows
- PQ90262 Misuse of gsk_secure_sock_close causes child process crash
- PQ90562 mod_ibm_ssl storage leak across restart
- mod_snmp limit on virtual hosts was raised to 1500
- PQ87084 Fix ap_custom_response storage corruption
- CAN-2004-0174 AIX, Solaris: hang after reset connection on rarely
accessed socket
- PQ85548 Diagnostic hooks for IBM HTTP Server 1.3
- Fix an ErrorDocument problem which could result in POST data being
treated as an invalid request
1.3.28.1 fixes which are new with this interim fix:
- PK19060 Retry connection to LDAP server immediately after connection
drop
- PK24631 CVE-2006-3918 Escape value of Expect header in error response to
invalid Expect
- PK28587 LDAP cache expiration time was not always honored
- CMVC 84947 Fix crash in mod_ibm_ssl when using client certificate
authentication
- PK29157 CVE-2006-3747 mod_rewrite defect which could cause crashes on
HP-UX and Windows
1.3.28.1 fixes which were in previous interim fixes:
- PK13959 CVE-2005-2088 HTTP proxy vulnerability
- CVE-2005-3352 mod_imap cross-site scripting vulnerability
- resolve Linux/x86 startup failures when /etc/nsswitch.conf specifies
LDAP for name resolution, caused by dropped library support in RedHat
Advanced Server 3.0 Update 4 and SLES 9
- mod_ibm_ldap: When user id is locked, return 401 instead of 503 and
record the problem in error log
- mod_ibm_ldap: Provide LdapReferralHopLimit directive to control how many
referrals are allowed
- mod_ibm_ldap: improve tracing
- allow mod_net_trace to trace writev error
- mod_ibm_ssl on Linux and Unix: resolve double-free error when
interfacing with sidd
- PK07747: IHS VIRTUAL HOST NO LONGER WORKS AFTER INSTALLATION OF
MICROSOFT SECURITY PATCH MS05-019
- PK05084 CAN-2004-0940 mod_include possible buffer overflow
- Unix: Log errno string for sidd connect failures
- Track active plug-in module when ExtendedStatus in On.
"/server-status/?showmodule" can display it.
- Linux for pSeries and zSeries: Remove dependency on external expat
library
- CAN-2003-0020 Strip control characters before logging to ErrorLog
- PK03424 Windows: Fix mod_rewrite RewriteLog reliability problem on
Windows
- CAN-2003-0987 mod_digest nonce exposure
- SSL in FIPS mode: Don't allow SSLv2 ciphers
- Windows include files reference missing file
- mod_log_config sometimes logged "0" instead of "-" for %b format
- AIX: enable full core dump automatically for httpd crashes
- Fix child process crash in ap_bhalfduplex().
- PQ89899 CAN-2004-0492 crash in mod_proxy
- PQ90262 Misuse of gsk_secure_sock_close causes child process crash
- PQ90562 mod_ibm_ssl storage leak across restart
- mod_snmp limit on virtual hosts was raised to 1500
- PQ92124 HTTP POSTs fail or hang when Afpa is enabled; When Afpa is
enabled on Windows, HTTP POST requests may occasionally appear to hang and
eventually time out with an error.
- PQ98444 Mod_ibm_ldap fails to UTF-8 encode the filter string
Prerequisites
1.3.28.1 or 1.3.26.2
Installation Instructions
Please review the readme.txt for detailed installation
instructions.
Product categories: Software > Application Servers >
Distributed Application & Web Servers > IBM HTTP Server > Base
Server
Operating system(s): Windows
Software version: 1.3.28.1
Software edition: Reference #: 4013080
IBM Group: Software Group
Modified date: Aug 10, 2006
(C) Copyright IBM Corporation 2000, 2009. All Rights
Reserved.