CVE-2024-38476

Name	CVE-2024-38476
Description	Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5729-1, ELA-1158-1, ELA-1159-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u29	fixed
	stretch (security)	2.4.25-3+deb9u13	vulnerable
	stretch (lts), stretch	2.4.25-3+deb9u19	fixed
	buster, buster (lts)	2.4.59-1~deb10u4	fixed
	buster (security)	2.4.59-1~deb10u1	vulnerable
	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.62-1~deb11u2	fixed
	bookworm (security), bookworm	2.4.62-1~deb12u2	fixed
	sid, trixie	2.4.62-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
apache2	source	jessie	2.4.10-10+deb8u28	ELA-1158-1
apache2	source	stretch	2.4.25-3+deb9u18	ELA-1159-1
apache2	source	buster	2.4.59-1~deb10u2	ELA-1159-1
apache2	source	bullseye	2.4.61-1~deb11u1	DSA-5729-1
apache2	source	bookworm	2.4.61-1~deb12u1	DSA-5729-1
apache2	source	(unstable)	2.4.60-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38476
Fixed by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde (trunk)
Fixed by https://github.com/apache/httpd/commit/554554b0ebb14d6578adb70a389c57a0d5f18a3b (2.4.60)
(or https://svn.apache.org/viewvc?view=revision&revision=1918560)
see also regression CVE-2024-39884 and CVE-2024-40725