CVE-2024-38477

Name	CVE-2024-38477
Description	null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-5729-1, ELA-1158-1, ELA-1159-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u29	fixed
	stretch (security)	2.4.25-3+deb9u13	vulnerable
	stretch (lts), stretch	2.4.25-3+deb9u19	fixed
	buster, buster (lts)	2.4.59-1~deb10u4	fixed
	buster (security)	2.4.59-1~deb10u1	vulnerable
	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.62-1~deb11u2	fixed
	bookworm (security), bookworm	2.4.62-1~deb12u2	fixed
	sid, trixie	2.4.62-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
apache2	source	jessie	2.4.10-10+deb8u28	ELA-1158-1
apache2	source	stretch	2.4.25-3+deb9u18	ELA-1159-1
apache2	source	buster	2.4.59-1~deb10u2	ELA-1159-1
apache2	source	bullseye	2.4.61-1~deb11u1	DSA-5729-1
apache2	source	bookworm	2.4.61-1~deb12u1	DSA-5729-1
apache2	source	(unstable)	2.4.60-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38477
Fixed by https://github.com/apache/httpd/commit/1d98d4db186e708f059336fb9342d0adb6925e85 (2.4.60)
(or https://svn.apache.org/viewvc?view=revision&revision=1918607)
Regression identified by Ubuntu https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2072648
Regression fixed by https://github.com/apache/httpd/commit/4d3a308014be26e5407113b4c827a1ea2882bf38 (2.4.60)