CVE-2024-40725

Name	CVE-2024-40725
Description	A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	ELA-1158-1, ELA-1159-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	jessie, jessie (lts)	2.4.10-10+deb8u28	fixed
	stretch (security)	2.4.25-3+deb9u13	vulnerable
	stretch (lts), stretch	2.4.25-3+deb9u18	fixed
	buster, buster (lts)	2.4.59-1~deb10u2	fixed
	buster (security)	2.4.59-1~deb10u1	vulnerable
	bullseye	2.4.62-1~deb11u1	fixed
	bullseye (security)	2.4.61-1~deb11u1	vulnerable
	bookworm	2.4.62-1~deb12u1	fixed
	bookworm (security)	2.4.61-1~deb12u1	vulnerable
	trixie, sid	2.4.62-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
apache2	source	jessie	2.4.10-10+deb8u28	ELA-1158-1
apache2	source	stretch	2.4.25-3+deb9u18	ELA-1159-1
apache2	source	buster	2.4.59-1~deb10u2	ELA-1159-1
apache2	source	bullseye	2.4.62-1~deb11u1
apache2	source	bookworm	2.4.62-1~deb12u1
apache2	source	(unstable)	2.4.62-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-40725
Introduced due to fix for CVE-2024-39884 (this CVE was fixed in 2.4.60)
Fixed by https://github.com/apache/httpd/commit/a7d24b4ea9a6ea35878fd33075365328caafcf91 (2.4.62)
(or svn https://svn.apache.org/viewvc?view=revision&revision=1919249)