Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 936257 (CVE-2024-40725, CVE-2024-40898) - <www-servers/apache-2.4.62: Multiple Vulnerabilities
Summary: <www-servers/apache-2.4.62: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2024-40725, CVE-2024-40898
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://downloads.apache.org/httpd/CH...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 936295
Blocks:
  Show dependency tree
 
Reported: 2024-07-18 17:52 UTC by Hank Leininger
Modified: 2024-09-28 08:04 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2024-07-18 17:52:37 UTC
From $URL:

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.62, which fixes this issue.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-07-18 20:09:37 UTC
I thought this was a dupe at first, but it isn't.. (bug 935427)
Comment 2 Hans de Graaff gentoo-dev Security 2024-07-19 10:05:07 UTC
Changes with Apache 2.4.62

  *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
     mod_rewrite in server/vhost context on Windows (cve.mitre.org)
     SSRF in Apache HTTP Server on Windows with mod_rewrite in
     server/vhost context, allows to potentially leak NTML hashes to
     a malicious server via SSRF and malicious requests.
     Users are recommended to upgrade to version 2.4.62 which fixes
     this issue.
     Credits: Smi1e (DBAPPSecurity Ltd.)

  *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
     disclosure with handlers configured via AddType (cve.mitre.org)
     A partial fix for  CVE-2024-39884 in the core of Apache HTTP
     Server 2.4.61 ignores some use of the legacy content-type based
     configuration of handlers. "AddType" and similar configuration,
     under some circumstances where files are requested indirectly,
     result in source code disclosure of local content. For example,
     PHP scripts may be served instead of interpreted.
     Users are recommended to upgrade to version 2.4.62, which fixes
     this issue.
Comment 3 Larry the Git Cow gentoo-dev 2024-09-22 07:44:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97141c1eea994ed9e282d11a27fb2586112f147c

commit 97141c1eea994ed9e282d11a27fb2586112f147c
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2024-09-22 07:42:41 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 07:43:12 +0000

    www-servers/apache: drop 2.4.59-r1, 2.4.59-r3, 2.4.61
    
    Bug: https://bugs.gentoo.org/935427
    Bug: https://bugs.gentoo.org/936257
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 www-servers/apache/Manifest                |   5 -
 www-servers/apache/apache-2.4.59-r1.ebuild | 259 -----------------------------
 www-servers/apache/apache-2.4.59-r3.ebuild | 257 ----------------------------
 www-servers/apache/apache-2.4.61.ebuild    | 257 ----------------------------
 4 files changed, 778 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-09-28 08:02:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=701f541117df26d3da56d8d2563dc70b4fcd5d4f

commit 701f541117df26d3da56d8d2563dc70b4fcd5d4f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-28 08:01:45 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-28 08:02:03 +0000

    [ GLSA 202409-31 ] Apache HTTPD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/928540
    Bug: https://bugs.gentoo.org/935296
    Bug: https://bugs.gentoo.org/935427
    Bug: https://bugs.gentoo.org/936257
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-31.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)