Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    CVE-2016-8743: Apache HTTP Request Parsing Whitespace Defect - Apache 2.2.32 - PDS and SSL

    • Product: Aleph
    • Product Version: 22, 23
    • Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare




    The following applies only for installations having Apache 2.2.32 installed on their Aleph server and using PDS in SSL mode.


    Note: Apache version 2.2.32 is not part of the Third Party updates [Status: June 07, 2017].



    There is a problem with login via PDS in SSL mode after the upgrade to Apache 2.2.32 which was required to address security vulnerability CVE-2016-8743



    The HTTPS call from Aleph to PDS was changed to support Apache 2.2.32 in rc #2415 (v22) and rc #2122 (v23).



    Additional Information


    Note 1) If you would like to implement this Apache version on your Aleph server to address the vulnerability issue documented as 'CVE-2016-8743', please contact Ex Libris Support team to schedule the installation on your Aleph production server.



    Note 2) A hotfix is available for rc #2415 (v22) resp. #2122 (v23)



    Download instructions for the hotfix (example for rc #2122):


    1) Connect to
    Username: Outgoing
    Password: 0sc6rexl 

    Please note that user Outgoing has read-only permission on ftp-server and no directory-listing is allowed.
    2) Download of file hotfix_ver23_rc2122.tar.gz to any directory on your server:
    ftp> cd hotfix
    ftp> get hotfix_ver23_rc2122.tar.gz

    3) Unzip and untar:
    gunzip hotfix_ver23_rc2122.tar.gz
    tar xvf hotfix_ver23_rc2122.tar
    4) Call up script aaa_install:
    cd hotfix_ver23_rc2122/

    5) The fix is reactivated after the next startup of Aleph.



    Replace hotfix_ver23_rc2122 with hotfix_ver22_rc2415 to obtain the hotfix for Aleph version 22.



    • Article last edited: 07-June-2017