PK25355: IBM HTTP SERVER 2.0.47 AND 2.0.42 CUMULATIVE E-FIX | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description This interim fix corrects multiple problems which were resolved after the previous interim fix, PK13230.Local fix Problem summary **************************************************************** * USERS AFFECTED: IBM HTTP SERVER 2.0.42.x/2.0.47.x users * **************************************************************** * PROBLEM DESCRIPTION: CVE-2005-3352 mod_imap security * * exposure and other fixes since PK13230 * **************************************************************** * RECOMMENDATION: * **************************************************************** Address a security issue and other defects corrected after the previous fix pack for these releases, PK13230. - CVE-2005-3352 mod_imap: Escape untrusted referer header in response to prevent potential cross-site scripting vulnerability - PK21998 SSLProtocolDisable directive can disable specific protocols (e.g., "SSLProtocolDisable SSLv2" in virtual host) - PK24631 HTML-escape the value of the Expect header in the error response to a bad Expect value - PK24686 Fix missing path information in arg0 of CGI scripts spawned by mod_cgid - PK22995 Fix excessive forking in worker MPM if child process startup is slow. - mod_cache: Fix inconsistent results from requests which are implemented as subrequests. - PK22485 memory leak and crash if files being served are truncated - allow diagnostic modules to track activity in log-transaction hook - PK20184 crashes related to mod_ibm_ssl and mod_ext_filter; also, deadlock of filter processes with mod_ext_filter - PK20050 status line problem with WebSphere plug-in and byterange filter - PK17802 mod_speling crash with WebSphere request - PK19060 mod_ibm_ldap doesn't retry request when server timed out connection - PK18642 mod_ibm_ldap memory leak - mod_ibm_ssl now removes null ciphers from default list - Apache.exe -V on Windows and apachectl -V on other platforms now displays CVE ids of applicable Apache vulnerabilities resolved in this level of IBM HTTP Server - PK13858 Do not remove Content-Length header for a proxied HEAD request, allowing Windows Update to work through an IBM HTTP Server proxy. - PK15553 multiple mod_include fixes, including a change to log a warning mssage if mod_include is only partially configured (filter enabled but option not enabled) - Prevent hosts with SSLProxyEngine On from covering up failed initialization of primary SSL environment. - Enable TLS protocol in the GSKit proxy environment to allow for connections to backends using FIPS ciphers. (applicable to 2.0.47 only) - PK13453 Allow SID reuse when SSLClientAuth is optional and client does not provide certificate.(2.0.47 only) - PK15926 Resolve conflict between mod_ibm_ldap and the use of ldap in /etc/nsswitch.conf for system user authentication on Linux. - mod_ibm_ssl: improve logging of handshake errors - mod_ibm_ssl: improve accuracy of "Using xxx Cipher" message - mod_ibm_ssl: fix cipher spec processing problem when invalid SSLv3 cipher was configured (applicable to 2.0.42 only) Changes in previous interim fixes, included here - PK13066 CAN-2005-2970 worker MPM memory leak after aborted connection (non-Windows platforms) - Prevent double-free of GSKit memory during stop or restart which sometimes caused a coredump (non-Windows platforms) - Prevent double-free when an error occurred reading data from sidd (non-Windows platforms only). - PK11929 CAN-2005-2491 Fix integer overflow in PCRE which leads to a heap-based buffer overflow. - PK11929 CAN-2005-2728 Fix byte-range filter which allowed remote attackers to cause a denial of service (memory consumption) via an HTTP header with large Range field - Handle strerror() returning NULL on Solaris, resolving possible crashes when writing to the error log. - Handle SSL requests where FIN is received from the client on Keepalive connections before the response is written. - sidd now reports specific error code and filename when its trace or error log can't be opened. - Fixed swapped references to ciphers 62 and 64. This resulted in SSLCipher* directives operating on the wrong cipher (i.e., using 64 if 62 had been specified). - Fix SSL handling of Timeout values larger than 2000 seconds, resolving SSL handshake failures - PK07831 Resolve incompatibility between IHS and certain GSKit levels - PK07747 Resolve incompatibility between AFPA support on Windows and Microsoft Security Patch MS05-019 - CAN-2005-2088 preventative measures to prevent HTTP request smuggling, from Apache 2.1.6 and future Apache 2.0.55 - mod_ibm_ssl: include client IP address on many messages - mod_ibm_ssl: improve reporting of many SSL communication errors - Fix a servlet timeout when a POST response page contains SSI tags - Set RH variable to indicate which module handled or failed the request - dbmmanage: Select the database format which is accepted by IBM HTTP Server - mod_rewrite: improve performance with large RewriteMap files - Fix memory leak in the cache handling of mod_rewrite - Fix storage corruption problem with mod_userdir+suexec processing - PK03603 worker mpm: don't take down the whole server for a transient thread creation failure - PK05830 Prevent hangs of child processes when writing to piped loggers at the time of graceful restart - PK05957 Support the suppress-error-charset setting, as with Apache 1.3.x - Set REDIRECT_REMOTE_USER for redirection of authenticated requests - worker mpm: lower severity of mutex "error" message which can occur normally during restart - display time taken to process request in mod_status - mod_proxy: Handle client-aborted connections correctly - mod_mime_magic on Windows: support magic files with native line endings - support SHA1 passwords for mod_auth and mod_auth_dbm - support SendBufferSize on Windows - start piped loggers via the shell on Unix, to support redirection - mod_cgid: Fix buffer overflow processing ScriptSock directive - mod_ibm_ldap: put timestamp on ldap trace records for correlation with other logs - mod_ibm_ldap: return authorization error instead of internal server error when password has expired - mod_ibm_ldap: add configuration control over whether or not referrals are chased via "LdapReferrals On|Off " and "LdapReferralHopLimit nnn" - mod_ibm_ldap: add rebind support for improved compatibility with Microsoft Active Directory 2003 - remove 2GB log file size restriction on Linux and Unix systems - PQ98957 fix HTTP RFC violations with handling of request bodies by proxy - PQ97712 fix worker MPM problem which left stranded processes after shutdown - fix mod_deflate problems handling 304 or 204 responses - PK00175 mod_ibm_ssl corrupts LIBPATH, breaking startup of third-party module - fix mod_ibm_ssl storage leak during apachectl restart or apachectl graceful processing - PQ86346 Seg fault with IHS ldap/nss ldap on 390 - fix mod_fastcgi incompatibility with WebSphere plug-in - rename zlib symbols used by mod_deflate to avoid collision with third-party modules - add "/server-status?showmodule" support for displaying name of module where request is stuck; ihsdiag 1.4.0 also exploits this support - CAN-2003-0020 escape data before writing to error log - fix ownership of sidd socket if IHS started as non-root on HP-UX - resolve CAN-2004-0809 and CAN-2004-0942 vulnerabilities - handle rewrite rules in Location containers applying to WebSphere resources - shut down worker MPM more quickly when processes are slow to exit - fix Expires handling with mod_cache - reduce severity of message for TCP_NODELAY error - PQ97125 CAN-2004-0942 fix memory consumption dos for folded MIME headers - add fatal exception hook for use by diagnostic modules - log reason for failing to connect to session id cache - fixed invalid info messages about non-FIPS cipher if FIPS enabled - fixed timeout problem in mod_ibm_ssl under load - fixed LDAP not escaping ctrl chars \,(,), and * as required by RFC 2254 - changed LDAP queries to request minimal set of attributes - Potential denial of service exposure, CAN-2004-0786 - CAN-2004-0747 buffer overflow if extremely large environment variables are referenced in httpd.conf or .htaccess - fix termination of long request lines - fix mod_headers functional regression since 1.3 - fix mod_deflate large memory consumption - fix handling of "AllowEncodedSlashes On" - fix stranded piped logger processes on Windows - change default Windows service name to the same service name set by IHS installer so that -n option is not required - improve compatibility with 3rd party layered service providers on Win32 - fix crash in mod_ibm_ssl when using client auth - CAN-2004-0493 remote memory allocation vulnerability - rotatelogs ability to use local time - "VirtualHost myhost" now applies to all IP addresses for myhost - Fix mod_deflate to handle zero length responses (such as 304 responses) - PQ89510 PDF files corrupted with acrobat over SSL (Windows) - Unnecessary mod_expires error message in log - Microsoft Windows pool corruption at startup leading to restar - Some random storage logged for excessively long request line (Fixes in PQ85834 are not listed here.) Checksum of e-fix files is as follows: 1566326422 6062080 2.0.42.2-PK25355.aix.tar 1407861988 20172800 2.0.42.2-PK25355.hpux.tar 487234659 5109760 2.0.42.2-PK25355.linux.tar 840214610 5539840 2.0.42.2-PK25355.linux390.tar 1194906981 7096320 2.0.42.2-PK25355.linuxppc.tar 3111155675 4129534 2.0.42.2-PK25355.nt.zip 76068036 18774016 2.0.42.2-PK25355.sun.tar 2359313763 5857280 2.0.47.1-PK25355.aix.tar 502345522 20398080 2.0.47.1-PK25355.hpux.tar 197793940 4741120 2.0.47.1-PK25355.linux.tar 514851836 5509120 2.0.47.1-PK25355.linux390.tar 1862272806 6277120 2.0.47.1-PK25355.linuxppc.tar 2205981548 4217431 2.0.47.1-PK25355.nt.zip 1033633873 18405888 2.0.47.1-PK25355.sun.tarProblem conclusion See individual APARs.Temporary fix Comments Important note: - mod_whatkilledus users: Upgrade to mod_whatkilledus.so from ihsdiag 1.4.2 or later to correct a problem in mod_whatkilledus.so which can be encountered with this and other recent levels of IBM HTTP Server. The latest ihsdiag package can be downloaded here: ftp://ftp.software.ibm.com/software/websphere/ihs/support/Tools/ ihsdiag/ (all one line)
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > IBM HTTP Server >
Runtime
Operating system(s):
Software version: 00A
Software edition:
Reference #: PK25355
IBM Group: Software Group
Modified date: Jun 13, 2006
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.