| Name | CVE-2024-39884 |
| Description | A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | bullseye | 2.4.59-1~deb11u1 | fixed |
| bullseye (security) | 2.4.61-1~deb11u1 | fixed | |
| bookworm | 2.4.59-1~deb12u1 | fixed | |
| bookworm (security) | 2.4.61-1~deb12u1 | fixed | |
| trixie, sid | 2.4.62-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache2 | source | bullseye | (not affected) | |||
| apache2 | source | bookworm | (not affected) | |||
| apache2 | source | (unstable) | 2.4.61-1 |
[bookworm] - apache2 <not-affected> (Vulnerable code not present)
[bullseye] - apache2 <not-affected> (Vulnerable code not present)
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39884
Fixed by [1/4] https://github.com/apache/httpd/commit/cf3402e182f7a32eb9085a82347769cb2efe491e
Fixed by [2/4] https://github.com/apache/httpd/commit/aa4b05ee0536fdbd62b02eaab91f31ae3a305129
Fixed by [3/4] https://github.com/apache/httpd/commit/8ad3ec08d4852e1fc967377dbab4e8c76b96b791
Fixed by [4/4] https://github.com/apache/httpd/commit/fbe782e6c4a7c255790b80c74d5b8ee320ec93d2
Introduced by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde
Regression in 2.4.60 (likely due to fix for CVE-2024-38476)