PK27875; 1.3.28.1: IBM HTTP Server 1.3.26 and 1.3.28 cumulative e-fix
 Downloadable files
 
Abstract
CVE-2005-3918, CVE-2006-3747 security exposures and other problems resolved after PK16139.
 
Download Description
ERROR DESCRIPTION:
This interim fix corrects several problems which were resolved after the previous interim fix, PK16139.

USERS AFFECTED:
IBM® HTTP SERVER 1.3.26.2/1.3.28.1 users

PROBLEM DESCRIPTION:
CVE-2005-3918, CVE-2006-3747 security exposures and other problems resolved after PK16139.

RECOMMENDATION:
This cumulative fix is recommended for all installations because CVE-2006-3918 (PK24631) is a potential concern regardless of configuration.

1.3.26.2 fixes which are new with this interim fix:

- PK19060 Retry connection to LDAP server immediately after connection drop
- PK24631 CVE-2006-3918 Escape value of Expect header in error response to invalid Expect
- PK28587 LDAP cache expiration time was not always honored
- CMVC 84947 Fix crash in mod_ibm_ssl when using client certificate authentication
- CMVC 84949 Fix crash in mod_ibm_ssl when SSL debug trace is enabled and client certificate validation is configured.

Note: CVE-2006-3747 (PK29157) does not apply to 1.3.26.2 because the defect does not exist in that release.

1.3.26.2 fixes which were in previous interim fixes:

- PK13959 CVE-2005-2088 HTTP proxy vulnerability
- CVE-2005-3352 mod_imap cross-site scripting vulnerability
- resolve Linux/x86 startup failures when /etc/nsswitch.conf specifies LDAP for name resolution, caused by dropped library support in RedHat Advanced Server 3.0 Update 4 and SLES 9
- mod_ibm_ldap: When user id is locked, return 401 instead of 503 and record the problem in error log
- mod_ibm_ldap: Provide LdapReferralHopLimit directive to control how many referrals are allowed
- mod_ibm_ldap: improve tracing
- allow mod_net_trace to trace writev error
- mod_ibm_ssl on Linux and Unix: resolve double-free error when interfacing with sidd
- Linux for pSeries and zSeries: Remove dependency on external expat library
- PK07747: IHS VIRTUAL HOST NO LONGER WORKS AFTER INSTALLATION OF MICROSOFT SECURITY PATCH MS05-019
- PK05084 CAN-2004-0940 mod_include possible buffer overflow
- Track active plug-in module when ExtendedStatus is On. "/server-status/?showmodule" can display it.
- Unix: Log errno string for sidd connect failures
- CAN-2003-0987 mod_digest nonce exposure
- CAN-2002-0843 ab exposure
- CAN-2003-0020 Strip control characters before logging to ErrorLog
- PK03424 Windows: Fix mod_rewrite RewriteLog reliability problem on Windows
- mod_log_config sometimes logged "0" instead of "-" for %b format
- AIX: enable full core dump automatically for httpd crashes
- AIX: set default AcceptMutex type to fcntl instead of pthread
- Fix child process crash in ap_bhalfduplex().
- PQ92124 HTTP POSTs fail or hang when Afpa is enabled; When Afpa is enabled on Windows, HTTP POST requests may occasionally appear to hang and eventually time out with an error.
- PQ89899 CAN-2004-0492 crash in mod_proxy
- PQ76168 CAN-2003-0460 rotatelogs problem on Windows
- PQ90262 Misuse of gsk_secure_sock_close causes child process crash
- PQ90562 mod_ibm_ssl storage leak across restart
- mod_snmp limit on virtual hosts was raised to 1500
- PQ87084 Fix ap_custom_response storage corruption
- CAN-2004-0174 AIX, Solaris: hang after reset connection on rarely accessed socket
- PQ85548 Diagnostic hooks for IBM HTTP Server 1.3
- Fix an ErrorDocument problem which could result in POST data being treated as an invalid request

1.3.28.1 fixes which are new with this interim fix:

- PK19060 Retry connection to LDAP server immediately after connection drop
- PK24631 CVE-2006-3918 Escape value of Expect header in error response to invalid Expect
- PK28587 LDAP cache expiration time was not always honored
- CMVC 84947 Fix crash in mod_ibm_ssl when using client certificate authentication
- PK29157 CVE-2006-3747 mod_rewrite defect which could cause crashes on HP-UX and Windows

1.3.28.1 fixes which were in previous interim fixes:
- PK13959 CVE-2005-2088 HTTP proxy vulnerability
- CVE-2005-3352 mod_imap cross-site scripting vulnerability
- resolve Linux/x86 startup failures when /etc/nsswitch.conf specifies LDAP for name resolution, caused by dropped library support in RedHat Advanced Server 3.0 Update 4 and SLES 9
- mod_ibm_ldap: When user id is locked, return 401 instead of 503 and record the problem in error log
- mod_ibm_ldap: Provide LdapReferralHopLimit directive to control how many referrals are allowed
- mod_ibm_ldap: improve tracing
- allow mod_net_trace to trace writev error
- mod_ibm_ssl on Linux and Unix: resolve double-free error when interfacing with sidd
- PK07747: IHS VIRTUAL HOST NO LONGER WORKS AFTER INSTALLATION OF MICROSOFT SECURITY PATCH MS05-019
- PK05084 CAN-2004-0940 mod_include possible buffer overflow
- Unix: Log errno string for sidd connect failures
- Track active plug-in module when ExtendedStatus in On. "/server-status/?showmodule" can display it.
- Linux for pSeries and zSeries: Remove dependency on external expat library
- CAN-2003-0020 Strip control characters before logging to ErrorLog
- PK03424 Windows: Fix mod_rewrite RewriteLog reliability problem on Windows
- CAN-2003-0987 mod_digest nonce exposure
- SSL in FIPS mode: Don't allow SSLv2 ciphers
- Windows include files reference missing file
- mod_log_config sometimes logged "0" instead of "-" for %b format
- AIX: enable full core dump automatically for httpd crashes
- Fix child process crash in ap_bhalfduplex().
- PQ89899 CAN-2004-0492 crash in mod_proxy
- PQ90262 Misuse of gsk_secure_sock_close causes child process crash
- PQ90562 mod_ibm_ssl storage leak across restart
- mod_snmp limit on virtual hosts was raised to 1500
- PQ92124 HTTP POSTs fail or hang when Afpa is enabled; When Afpa is enabled on Windows, HTTP POST requests may occasionally appear to hang and eventually time out with an error.
- PQ98444 Mod_ibm_ldap fails to UTF-8 encode the filter string
 
Prerequisites
1.3.28.1 or 1.3.26.2
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 8587
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
1.3.26.2-PK27875.aix 8/10/2006 US English 4874240 FTP DD
1.3.26.2-PK27875.hpux 8/10/2006 US English 5734400 FTP DD
1.3.26.2-PK27875.linux 8/10/2006 US English 4392960 FTP DD
1.3.26.2-PK27875.linuxppc 8/10/2006 US English 6666240 FTP DD
1.3.26.2-PK27875.linux390 8/10/2006 US English 5089280 FTP DD
1.3.26.2-PK27875.nt 8/10/2006 US English 742147 FTP DD
1.3.26.2-PK27875.sun 8/10/2006 US English 5504512 FTP DD
1.3.28.1-PK27875.aix 8/10/2006 US English 5324800 FTP DD
1.3.28.1-PK27875.hpux 8/10/2006 US English 6676480 FTP DD
1.3.28.1-PK27875.linux 8/10/2006 US English 4812800 FTP DD
1.3.28.1-PK27875.linux390 8/10/2006 US English 5447680 FTP DD
1.3.28.1-PK27875.linuxppc 8/10/2006 US English 6123520 FTP DD
1.3.28.1-PK27875.nt 8/10/2006 US English 1538655 FTP DD
1.3.28.1-PK27875.sun 8/10/2006 US English 5816320 FTP DD
 
Technical support
Contact IBM Support using ESR (http://www-306.ibm.com/software/support/probsub.html), visit the IBM HTTP Server Support Web site (http://www.ibm.com/software/webservers/httpservers/support/), or contact 1-800-IBM-SERV (U.S. only).
 
Problems (APARS) fixed
PK05084, PK07747, PK16139, PK19060, PK24631, PK27875, PK28587, PK29157, PQ76168, PQ87084, PQ89899, PQ90262, PQ92124, PQ98444
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Base Server
Operating system(s): Windows
Software version: 1.3.28.1
Software edition:
Reference #: 4013080
IBM Group: Software Group
Modified date: Aug 10, 2006