| Name | CVE-2024-39884 |
| Description | A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | ELA-1158-1, ELA-1159-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | jessie, jessie (lts) | 2.4.10-10+deb8u29 | fixed |
| stretch (security) | 2.4.25-3+deb9u13 | vulnerable | |
| stretch (lts), stretch | 2.4.25-3+deb9u19 | fixed | |
| buster, buster (lts) | 2.4.59-1~deb10u3 | fixed | |
| buster (security) | 2.4.59-1~deb10u1 | vulnerable | |
| bullseye | 2.4.62-1~deb11u1 | fixed | |
| bullseye (security) | 2.4.62-1~deb11u2 | fixed | |
| bookworm | 2.4.62-1~deb12u1 | fixed | |
| bookworm (security) | 2.4.62-1~deb12u2 | fixed | |
| sid, trixie | 2.4.62-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache2 | source | jessie | 2.4.10-10+deb8u28 | ELA-1158-1 | ||
| apache2 | source | stretch | 2.4.25-3+deb9u18 | ELA-1159-1 | ||
| apache2 | source | buster | 2.4.59-1~deb10u2 | ELA-1159-1 | ||
| apache2 | source | bookworm | (not affected) | |||
| apache2 | source | (unstable) | 2.4.61-1 |
[bookworm] - apache2 <not-affected> (Vulnerable code not present)
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39884
Fixed by [1/4] https://github.com/apache/httpd/commit/cf3402e182f7a32eb9085a82347769cb2efe491e (trunk)
Fixed by [2/4] https://github.com/apache/httpd/commit/aa4b05ee0536fdbd62b02eaab91f31ae3a305129 (trunk)
Fixed by [3/4] https://github.com/apache/httpd/commit/8ad3ec08d4852e1fc967377dbab4e8c76b96b791 (trunk)
Fixed by [4/4] https://github.com/apache/httpd/commit/fbe782e6c4a7c255790b80c74d5b8ee320ec93d2 (trunk)
Introduced by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde
Regression fix in 2.4.60 (likely due to fix for CVE-2024-38476)
[regression] Fix was not fully merged in 2.4.61 and need another patch:
https://github.com/apache/httpd/pull/475 (patch [3/4] from trunk)
[regression] Tracked at: https://bugs.debian.org/1079206
Regression fixed by commit: https://github.com/apache/httpd/commit/5f82765bc640ddb6a13a681464856bf8f8a5cb10 (2.4.x)