CVE-2024-39884

NameCVE-2024-39884
DescriptionA regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)bullseye2.4.59-1~deb11u1fixed
bullseye (security)2.4.61-1~deb11u1fixed
bookworm2.4.59-1~deb12u1fixed
bookworm (security)2.4.61-1~deb12u1fixed
trixie, sid2.4.62-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcebullseye(not affected)
apache2sourcebookworm(not affected)
apache2source(unstable)2.4.61-1

Notes

[bookworm] - apache2 <not-affected> (Vulnerable code not present)
[bullseye] - apache2 <not-affected> (Vulnerable code not present)
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39884
Fixed by [1/4] https://github.com/apache/httpd/commit/cf3402e182f7a32eb9085a82347769cb2efe491e
Fixed by [2/4] https://github.com/apache/httpd/commit/aa4b05ee0536fdbd62b02eaab91f31ae3a305129
Fixed by [3/4] https://github.com/apache/httpd/commit/8ad3ec08d4852e1fc967377dbab4e8c76b96b791
Fixed by [4/4] https://github.com/apache/httpd/commit/fbe782e6c4a7c255790b80c74d5b8ee320ec93d2
Introduced by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde
Regression in 2.4.60 (likely due to fix for CVE-2024-38476)

Search for package or bug name: Reporting problems