Fix (APAR):  PI95670

Status:  Fix

Release:  9.0.0.7

Operating System:  AIX,Linux,Windows

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  135129074

Date: 2018-04-09

Abstract:  Multiple vulnerabilities in IBM HTTP Server

Description/symptom of problem:  
PI95670 resolves the following problem:

ERROR DESCRIPTION:
Multiple vulnerabilities in IBM HTTP Server.

PROBLEM SUMMARY:
CVE-2017-15710, CVE-2017-15715, CVE-2018-1301 in IBM HTTP Server.

PROBLEM CONCLUSION:
IHS was updated to prevent the vulnerable conditions. 
                                                      
This fix is targeted for IBM HTTP Server fix packs:
- 8.5.5.14
- 9.0.0.8



Directions to apply fix:  1. Stop IBM HTTP Server. 
2. **AIX Only:**  run "slibclean" as root.
3. Backup your IBM HTTP Server installation directory
4. Extract the interim fix archive containing the new IHS runtime files on top of the parent directory of the installation root 
5. **Windows only:** Run `postinstall.bat` from the server root, passing no arguments.
6. Restart IBM HTTP Server.


Directions to remove fix:  1. Stop IBM HTTP Server. AIX Only: run "slibclean" as root.
2. Restore earlier IBM HTTP Server installation root from backup. Or, extract a previous maintenance level archive install on top of current installation
3. **Windows only:** Run `postinstall.bat` from the server root, passing no arguments.
4. Restart IBM HTTP Server.


Directions to re-apply fix:  1. Stop IBM HTTP Server.
2. Follow the directions to apply the fix.
3. Restart IBM HTTP Server.



Additional Information:  - Do not store data in the gsk8 subdirectory.
- Do not remove conf/postinst.properties.
- Archive maintenance is cumulative only and is a full-replacement.
- Java, and by extension ikeyman, are not included.  Use `bin/gskcapicmd` for certificate management.
- See `bin/quickssl.sh` or `bin/quickssl.bat` to create a basic self-signed certificate.