Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 935427 (CVE-2024-39884)

Summary: =www-servers/apache-2.4.60: source code disclosure with handlers configured via AddType
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: apache-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=936257
Whiteboard: B3 [cleanup glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 936295    
Bug Blocks:    

Description Hans de Graaff gentoo-dev Security 2024-07-03 19:30:48 UTC 
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.61, which fixes this issue.