Fix (APAR): PI05309 Status: Fix Release:,8.5.5,,,8.5 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 149935506 Date: 2013-12-16 Abstract: Potential denial of service vulnerability in IBM HTTP Server (CVE-2013-6329) Description/symptom of problem: PI05309 resolves the following problem: ERROR DESCRIPTION: Confidential for Security Integrity ifix. LOCAL FIX: Disabling the SSLv3 Session cache will circumvent this issue, but may lead to higher CPU usage. To use the circumvention: -Windows platforms: Do one of the following: a) Any Release: Set the system wide environment variable 'GSK_V3_SIDCACHE_SIZE' equal to zero and restart the system b) IHS 8.0 and later: Set the following directive everywhere you use the 'SSLEnable' directive: SSLAttributeSet 305 0 NUMERIC -Other distributed platforms: 1) Do one of the following: a) Any Release: Export the native environment variable 'GSK_V3_SIDCACHE_SIZE=0' in '$IHSROOT/bin/envvars' and perform a full stop and start of the server. b) IHS 8.0 and later: Set the following directive everywhere you use the 'SSLEnable' directive: SSLAttributeSet 305 0 NUMERIC 2) Set "SSLCacheDisable" at the bottom of httpd.conf PROBLEM SUMMARY: Confidential for Security Integrity ifix. PROBLEM CONCLUSION: The GSKit security library was updated to resolve the exposure. The fix is targeted for IBM HTTP Server fixpacks: - - - Directions to apply fix: Special Instructions: None NOTE: The user must: - be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. - be logged in with the same authority level when unpacking a fix, fix pack or refresh pack. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. Shutdown IBM HTTP Server before applying the iFixes. Restart IBM HTTP Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. Shutdown IBM HTTP Server before removing the iFixes. Restart IBM HTTP Server after removing the iFixes. Directions to re-apply fix: 1) Stop IBM HTTP Server. 2) Follow the Fix instructions to apply the fix. 3) Restart IBM HTTP Server. Additional Information: