From nobody Thu Jul 04 16:08:55 2024 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WFM5h6Hl8z5Nm0y for ; Thu, 04 Jul 2024 16:08:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WFM5h3Yjdz4mX3 for ; Thu, 4 Jul 2024 16:08:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1720109336; a=rsa-sha256; cv=none; b=aKdqIpoSGw8Nk/1gGjNq0FfMaZixuboDQo4b6v5Rl82f7ZuqtJgdxHcz3FDMzc46htEiHv 3Us/hzFME01tV7ddE2w1220m5KcvnCX+77RvbkB6z/33vUXXtQ1BZrApOVP5H/VJXozV1b sd/ELdTiBPYYFJU8FIanaqxOZTKctokDyolN0QcLCaTvjfeSiPcJGYsIDkTStd2sg/umvz TacoSlEaITj80rA1NRUr6xLoiUfTJ1mJkj+LkEK7myvHAvYzEw8Ubl8RA6RNbzess+d3U+ kmTyMp8K/7aWBTTsLCjpzK9JVM8MeZHwpOpFK0C42PXjjKpRwhHZ/04wZPSFtQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720109336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CyLWXKrVHsdPZlaBkVx6bX1m4VTlsjukaP2kIPa/7gg=; b=QusoMrhXhuRPzffPLEmedQdszoYCFhUDcWFcI+1Prx+lnxXwPjrFrWQDe17M/bhrDYgF+d ZMj51tu/hW5v1HnY8lexX9NDYzZ2/iuuX1eGMMtB8UdYGrHcohrOSOOLa3JDRBRhldWif5 llV7ZLrjADjjhUOt/QvwNaPxW2EAL1hCvqrc42tR9/VqUNFHh3NCnMjdnaBmH6m9MAaHsN xKw5QfPDoEZ9NF5H8u0Kpcis4siMFpCif9TSFq7WRIkXxo8e8zK+T4V6wJNxhS2GWiEFyb 348FsiKrKLoH0kKZGn0JT6Q3koOxiUaLOO3j+4i7TiwCktgKqND1hqPKU8tbyw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WFM5h33t4zKLf for ; Thu, 4 Jul 2024 16:08:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 464G8uHT021789 for ; Thu, 4 Jul 2024 16:08:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 464G8uCm021788 for ports-bugs@FreeBSD.org; Thu, 4 Jul 2024 16:08:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 280130] www/apache24: Security Update to 2.4.61 Date: Thu, 04 Jul 2024 16:08:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: fabian@wenks.ch X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-ports-bugs@freebsd.org Sender: owner-freebsd-ports-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280130 Bug ID: 280130 Summary: www/apache24: Security Update to 2.4.61 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: security Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: apache@FreeBSD.org Reporter: fabian@wenks.ch Assignee: apache@FreeBSD.org Flags: maintainer-feedback?(apache@FreeBSD.org) Posting through announce@httpd.apache.org mailing list yesterday: "Apache HTTP Server 2.4.61 Released" https://lists.apache.org/thread/wz5hkj1lsptlv431rdn0gs8jvt5ol519 and out of https://downloads.apache.org/httpd/CHANGES_2.4: Changes with Apache 2.4.61 *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType (cve.mitre.org) A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. This should fix the problem reported in bug #280077. --=20 You are receiving this mail because: You are the assignee for the bug.=