From nobody Thu Jul 4 16:08:55 2024 X-Original-To: apache@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WFM5h4KXFz5Nm4w for ; Thu, 04 Jul 2024 16:08:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WFM5h2K3lz4mLs for ; Thu, 4 Jul 2024 16:08:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1720109336; a=rsa-sha256; cv=none; b=tuM+8ibthznFt383T76+ITSmWUZhgoIkPL/3HbfhTqIftgI0S2+8dtUYATgBYaU4v3FO+3 6Re2nWrb3JgP6JZm/dZ1UHelip+0/UfKKqoAWG08XLznAyf2otD4Qb6W2/ju2QayQsWJVf Hh1F5lGiC0BbRTVayPEyaXW3FaZBAbC/jlDQjqVvEbit5L9cRv8oQiGgIF62vaXJONb0wm GgAsnddR88IUPIM4vi/lP9eitPQ1FtC286+irDdpifGtigTLZB0Aq1VAsseuZKlvTOaw8J IyeEsd8xhx46pYG9VLGrOEKXFiPiScOrI/Un4vfFeBzF0qaTdps+86SELMrjbg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720109336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yfkEr4FV1SJS/ddIr9j2tsFV+9eYRZD6y1U+OFvVSQA=; b=RnEuu5TDX73YCQNk4K0fwxH/J1KefaRtvcmehaB2W7gT6Dw16UN8E8aYAoNcB1fHfvtj9g o1mQY8pZrtDMezCyugvwBKB6kLn7SioEQuGuWndQ+aDSbgm/2oP2G2G7/hbGS+04IQ6fxg cZuLco9fPPhN1QREzEWXjRRPu4yGqeRaSAnRfus5kKZHmtsmcpRMoqLftpXPxlrEtq70Lw vuiGkydWsq/QnK8hHd2xWtvyzx7rkqSbYqhLN5C9E5wPEnwil2Sf0tJF6SD95mwZMu+BAS lklcgW3nRhE3WwaB54/1Fb+8RiWxt5vdsc6+rVW+MZgqiC5vfQR4Ej+aaiOmRg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WFM5h1pFKzKLd for ; Thu, 4 Jul 2024 16:08:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 464G8uw2021780 for ; Thu, 4 Jul 2024 16:08:56 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 464G8u6k021778 for apache@FreeBSD.org; Thu, 4 Jul 2024 16:08:56 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" From: bugzilla-noreply@freebsd.org To: apache@FreeBSD.org Subject: maintainer-feedback requested: [Bug 280130] www/apache24: Security Update to 2.4.61 Date: Thu, 04 Jul 2024 16:08:55 +0000 X-Bugzilla-Type: request X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? Message-ID: In-Reply-To: References: X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Support of apache-related ports List-Archive: https://lists.freebsd.org/archives/freebsd-apache List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-apache@FreeBSD.org MIME-Version: 1.0 Bugzilla Automation has asked freebsd-apache (Nobody) for maintainer-feedback: Bug 280130: www/apache24: Security Update to 2.4.61 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280130 --- Description --- Posting through announce@httpd.apache.org mailing list yesterday: "Apache HTTP Server 2.4.61 Released" https://lists.apache.org/thread/wz5hkj1lsptlv431rdn0gs8jvt5ol519 and out of https://downloads.apache.org/httpd/CHANGES_2.4: Changes with Apache 2.4.61 *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType (cve.mitre.org) A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. This should fix the problem reported in bug #280077.