Bugzilla – Bug 1227353
VUL-0: CVE-2024-39884: apache2: source code disclosure with handlers configured via AddType
Last modified: 2024-07-18 08:40:48 UTC
Severity: important Affected versions: - Apache HTTP Server 2.4.60 Description: A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-39884 Timeline: 2024-07-01: reported References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39884 https://seclists.org/oss-sec/2024/q3/22 https://www.cve.org/CVERecord?id=CVE-2024-39884
It looks like the fix for this issue is not complete. There is a new bsc#1228097 with CVE-2024-40725 that references this CVE.