Fix (APAR):  PI05309

Status:  Fix

Release:  8.0.0.7,8.0.0.6,8.0.0.5,8.0.0.4,8.0.0.3,8.0.0.2,8.0.0.1,8.0

Operating System:  AIX,HP-UX,Linux,Solaris,Windows

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  149969416

Date: 2013-12-16

Abstract:  Potential denial of service vulnerability in IBM HTTP Server (CVE-2013-6329)

Description/symptom of problem:  
PI05309 resolves the following problem:

ERROR DESCRIPTION:
Confidential for Security Integrity ifix.

LOCAL FIX:                                                      
Disabling the SSLv3 Session cache will circumvent this issue,   
but may lead to higher CPU usage.  To use the circumvention:
                                     
-Windows platforms:                                             
                                                                
 Do one of the following:                                       
 a) Any Release: Set the system wide environment variable       
    'GSK_V3_SIDCACHE_SIZE' equal to zero and restart the        
    system                                                      
 b) IHS 8.0 and later: Set the following directive everywhere   
    you use the 'SSLEnable' directive:                          
      SSLAttributeSet 305 0 NUMERIC                             

-Other distributed platforms:

 1) Do one of the following:
    a) Any Release: Export the native environment variable 
       'GSK_V3_SIDCACHE_SIZE=0' in '$IHSROOT/bin/envvars' and 
       perform a full stop and start of the server.
    b) IHS 8.0 and later: Set the following directive everywhere
       you use the 'SSLEnable' directive: 
         SSLAttributeSet 305 0 NUMERIC 

 2) Set "SSLCacheDisable" at the bottom of httpd.conf

PROBLEM SUMMARY:
Confidential for Security Integrity ifix.

PROBLEM CONCLUSION:
The GSKit security library was updated to resolve the exposure.
                                                               
The fix is targeted for IBM HTTP Server fixpacks:              
- 7.0.0.33                                       
- 8.0.0.9                                        
- 8.5.5.2                                        


Directions to apply fix:  
Special Instructions: None

NOTE:
The user must:
  - be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require
    a newer version of the Installation Manager and the Installation Manager will
    inform you during the installation process if a newer version is required.
  - be logged in with the same authority level when unpacking a fix, fix pack or
    refresh pack.

  The IBM Information Center can provide details, if needed, on the use of the Installation
  Manager to apply the iFixes.
  http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  

  Shutdown IBM HTTP Server before applying the iFixes.  
  Restart IBM HTTP Server after applying the iFixes.


Directions to remove fix:  
The IBM Information Center can provide details, if needed, on the use of the 
Installation Manager to remove the iFixes.
  http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  

  Shutdown IBM HTTP Server before removing the iFixes.  
  Restart IBM HTTP Server after removing the iFixes.


Directions to re-apply fix:  
1) Stop IBM HTTP Server.

2) Follow the Fix instructions to apply the fix.

3) Restart IBM HTTP Server.



Additional Information: