PK25355: IBM HTTP SERVER 2.0.47 AND 2.0.42 CUMULATIVE E-FIX

 Fixes are available

PK53584; 2.0.47.1: IBM HTTP Server 2.0.47 Cumulative Interim Fix
PK65782; 2.0.47.1: IBM HTTP Server V2.0.47 Cumulative Interim Fix
PK25355; 2.0.47.1: IBM HTTP Server V2.0.47 and V2.0.42 Cumulative Interim Fix
PK29827; 2.0.47.1: IBM HTTP Server V2.0.47 and V2.0.42 Cumulative Interim Fix



APAR status
Closed as program error.

Error description
This interim fix corrects multiple problems which were resolved
after the previous interim fix, 
PK13230.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: IBM HTTP SERVER 2.0.42.x/2.0.47.x users      *
****************************************************************
* PROBLEM DESCRIPTION: CVE-2005-3352 mod_imap security         *
* exposure and other fixes since 
PK13230                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Address a security issue and other defects corrected after the
previous fix pack for these releases, 
PK13230.
- CVE-2005-3352 mod_imap: Escape untrusted referer header in
response to prevent potential cross-site scripting vulnerability
- 
PK21998 SSLProtocolDisable directive can disable specific
protocols (e.g., "SSLProtocolDisable SSLv2" in virtual host)
- 
PK24631 HTML-escape the value of the Expect header in the
error response to a bad Expect value
- 
PK24686 Fix missing path information in arg0 of CGI scripts
spawned by mod_cgid
- 
PK22995 Fix excessive forking in worker MPM if child process
startup is slow.
- mod_cache: Fix inconsistent results from requests which are
implemented as subrequests.
- 
PK22485 memory leak and crash if files being served are
truncated
- allow diagnostic modules to track activity in log-transaction
hook
- 
PK20184 crashes related to mod_ibm_ssl and mod_ext_filter;
also, deadlock of filter processes with mod_ext_filter
- 
PK20050 status line problem with WebSphere plug-in and
byterange filter
- 
PK17802 mod_speling crash with WebSphere request
- 
PK19060 mod_ibm_ldap doesn't retry request when server
timed out connection
- 
PK18642 mod_ibm_ldap memory leak
- mod_ibm_ssl now removes null ciphers from default list
- Apache.exe -V on Windows and apachectl -V on other
platforms now displays CVE ids of applicable Apache
vulnerabilities resolved in this level of IBM HTTP Server
- 
PK13858 Do not remove Content-Length header for a proxied
HEAD request, allowing Windows Update to work through an IBM
HTTP Server proxy.
- 
PK15553 multiple mod_include fixes, including a change to
log a warning mssage if mod_include is only partially
configured (filter enabled but option not enabled)
- Prevent hosts with SSLProxyEngine On from covering up
failed initialization of primary SSL environment.
- Enable TLS protocol in the GSKit proxy environment to
allow for connections to backends using FIPS ciphers.
(applicable to 2.0.47 only)
- 
PK13453 Allow SID reuse when SSLClientAuth is optional and
client does not provide certificate.(2.0.47 only)
- 
PK15926 Resolve conflict between mod_ibm_ldap and the use
of ldap in /etc/nsswitch.conf for system user authentication
on Linux.
- mod_ibm_ssl: improve logging of handshake errors
- mod_ibm_ssl: improve accuracy of "Using xxx Cipher" message
- mod_ibm_ssl: fix cipher spec processing problem when invalid
SSLv3 cipher was configured (applicable to 2.0.42 only)
Changes in previous interim fixes, included here
- 
PK13066 CAN-2005-2970 worker MPM memory leak after aborted
connection (non-Windows platforms)
- Prevent double-free of GSKit memory during stop or restart
which sometimes caused a coredump (non-Windows platforms)
- Prevent double-free when an error occurred reading data from
sidd (non-Windows platforms only).
- 
PK11929 CAN-2005-2491 Fix integer overflow in PCRE which leads
to a heap-based buffer overflow.
- 
PK11929 CAN-2005-2728 Fix byte-range filter which allowed
remote attackers to cause a denial of service (memory
consumption) via an HTTP header with large Range field
- Handle strerror() returning NULL on Solaris, resolving
possible crashes when writing to the error log.
- Handle SSL requests where FIN is received from the client on
Keepalive connections before the response is written.
- sidd now reports specific error code and filename when its
trace or error log can't be opened.
- Fixed swapped references to ciphers 62 and 64. This resulted
in SSLCipher* directives operating on the wrong cipher (i.e.,
using 64 if 62 had been specified).
- Fix SSL handling of Timeout values larger than 2000 seconds,
resolving SSL handshake failures
- 
PK07831 Resolve incompatibility between IHS and certain GSKit
levels
- 
PK07747 Resolve incompatibility between AFPA support on
Windows and Microsoft Security Patch MS05-019
- CAN-2005-2088 preventative measures to prevent HTTP request
smuggling, from Apache 2.1.6 and future Apache 2.0.55
- mod_ibm_ssl: include client IP address on many messages
- mod_ibm_ssl: improve reporting of many SSL communication
errors
- Fix a servlet timeout when a POST response page contains
SSI tags
- Set RH variable to indicate which module handled or failed
the request
- dbmmanage: Select the database format which is accepted by
IBM HTTP Server
- mod_rewrite: improve performance with large RewriteMap files
- Fix memory leak in the cache handling of mod_rewrite
- Fix storage corruption problem with mod_userdir+suexec
processing
- 
PK03603 worker mpm: don't take down the whole server for a
transient thread creation failure
- 
PK05830 Prevent hangs of child processes when writing to
piped loggers at the time of graceful restart
- 
PK05957 Support the suppress-error-charset setting, as with
Apache 1.3.x
- Set REDIRECT_REMOTE_USER for redirection of authenticated
requests
- worker mpm: lower severity of mutex "error" message which
can occur normally during restart
- display time taken to process request in mod_status
- mod_proxy: Handle client-aborted connections correctly
- mod_mime_magic on Windows: support magic files with native
line endings
- support SHA1 passwords for mod_auth and mod_auth_dbm
- support SendBufferSize on Windows
- start piped loggers via the shell on Unix, to support
redirection
- mod_cgid: Fix buffer overflow processing ScriptSock directive
- mod_ibm_ldap: put timestamp on ldap trace records for
correlation with other logs
- mod_ibm_ldap: return authorization error instead of internal
server error when password has expired
- mod_ibm_ldap: add configuration control over whether or not
referrals are chased via "LdapReferrals  On|Off " and
"LdapReferralHopLimit nnn"
- mod_ibm_ldap: add rebind support for improved compatibility
with Microsoft Active Directory 2003
- remove 2GB log file size restriction on Linux and Unix systems
- 
PQ98957 fix HTTP RFC violations with handling of request
bodies by proxy
- 
PQ97712 fix worker MPM problem which left stranded processes
after shutdown
- fix mod_deflate problems handling 304 or 204 responses
- 
PK00175 mod_ibm_ssl corrupts LIBPATH, breaking startup of
third-party module
- fix mod_ibm_ssl storage leak during apachectl restart or
apachectl graceful processing
- 
PQ86346 Seg fault with IHS ldap/nss ldap on 390
- fix mod_fastcgi incompatibility with WebSphere plug-in
- rename zlib symbols used by mod_deflate to avoid collision
with third-party modules
- add "/server-status?showmodule" support for displaying name
of module where request is stuck; ihsdiag 1.4.0 also exploits
this support
- CAN-2003-0020 escape data before writing to error log
- fix ownership of sidd socket if IHS started as non-root on
HP-UX
- resolve CAN-2004-0809 and CAN-2004-0942 vulnerabilities
- handle rewrite rules in Location containers applying to
WebSphere resources
- shut down worker MPM more quickly when processes are slow
to exit
- fix Expires handling with mod_cache
- reduce severity of message for TCP_NODELAY error
- 
PQ97125 CAN-2004-0942 fix memory consumption dos for folded
MIME headers
- add fatal exception hook for use by diagnostic modules
- log reason for failing to connect to session id cache
- fixed invalid info messages about non-FIPS cipher if FIPS
enabled
- fixed timeout problem in mod_ibm_ssl under load
- fixed LDAP not escaping ctrl chars \,(,), and * as required
by RFC 2254
- changed LDAP queries to request minimal set of attributes
- Potential denial of service exposure, CAN-2004-0786
- CAN-2004-0747 buffer overflow if extremely large environment
variables are referenced in httpd.conf or .htaccess
- fix termination of long request lines
- fix mod_headers functional regression since 1.3
- fix mod_deflate large memory consumption
- fix handling of "AllowEncodedSlashes On"
- fix stranded piped logger processes on Windows
- change default Windows service name to the same service name
set by IHS installer so that -n option is not required
- improve compatibility with 3rd party layered service providers
on Win32
- fix crash in mod_ibm_ssl when using client auth
- CAN-2004-0493 remote memory allocation vulnerability
- rotatelogs ability to use local time
- "VirtualHost myhost" now applies to all IP addresses for
myhost
- Fix mod_deflate to handle zero length responses (such as 304
responses)
- 
PQ89510 PDF files corrupted with acrobat over SSL (Windows)
- Unnecessary mod_expires error message in log
- Microsoft Windows pool corruption at startup leading to restar
- Some random storage logged for excessively long request line
(Fixes in PQ85834 are not listed here.)
Checksum of e-fix files is as follows:
1566326422 6062080 2.0.42.2-PK25355.aix.tar
1407861988 20172800 2.0.42.2-PK25355.hpux.tar
487234659 5109760 2.0.42.2-PK25355.linux.tar
840214610 5539840 2.0.42.2-PK25355.linux390.tar
1194906981 7096320 2.0.42.2-PK25355.linuxppc.tar
3111155675 4129534 2.0.42.2-PK25355.nt.zip
76068036 18774016 2.0.42.2-PK25355.sun.tar
2359313763 5857280 2.0.47.1-PK25355.aix.tar
502345522 20398080 2.0.47.1-PK25355.hpux.tar
197793940 4741120 2.0.47.1-PK25355.linux.tar
514851836 5509120 2.0.47.1-PK25355.linux390.tar
1862272806 6277120 2.0.47.1-PK25355.linuxppc.tar
2205981548 4217431 2.0.47.1-PK25355.nt.zip
1033633873 18405888 2.0.47.1-PK25355.sun.tar
Problem conclusion
See individual APARs.
Temporary fix Comments
Important note:
- mod_whatkilledus users: Upgrade to mod_whatkilledus.so from
ihsdiag 1.4.2 or later to correct a problem in
mod_whatkilledus.so which can be encountered with this and other
recent levels of IBM HTTP Server.
The latest ihsdiag package can be downloaded here:
ftp://ftp.software.ibm.com/software/websphere/ihs/support/Tools/
ihsdiag/    (all one line)
APAR information
APAR number PK25355
Reported component name WAS HTTP SERVER
Reported component ID 5630A3603
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2006-05-22
Closed date 2006-06-07
Last modified date 2006-06-13

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information
Fixed component name WAS HTTP SERVER
Fixed component ID 5630A3603

Applicable component levels
R00A PSN    UP
R00H PSN    UP
R003 PSN    UP
R00I PSN    UP
R00S PSN    UP
R00W PSN    UP
R00P PSN    UP
R10A PSN    UP
R10H PSN    UP
R103 PSN    UP
R10I PSN    UP
R10S PSN    UP
R10W PSN    UP
R10P PSN    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Runtime
Operating system(s):
Software version: 00A
Software edition:
Reference #: PK25355
IBM Group: Software Group
Modified date: Jun 13, 2006