Date: Wed, 17 Jul 2024 18:48:41 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 14c4e37cf2b8 - main - security/vuxml: Document Apache httpd vulnerability Message-ID: <202407171848.46HImfC8073722@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=14c4e37cf2b872af531414a8b421eff522a0186c commit 14c4e37cf2b872af531414a8b421eff522a0186c Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2024-07-17 18:48:38 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2024-07-17 18:48:38 +0000 security/vuxml: Document Apache httpd vulnerability --- security/vuxml/vuln/2024.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index d05e597df78e..1e31f47a5cf4 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,36 @@ + <vuln vid="088b8b7d-446c-11ef-b611-84a93843eb75"> + <topic>Apache httpd -- Source code disclosure with handlers configured via AddType</topic> + <affects> + <package> + <name>apache24</name> + <range><ge>2.4.60</ge><lt>2.4.62</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Apache httpd project reports:</p> + <blockquote cite="https://httpd.apache.org/security/vulnerabilities_24.html">; + <p>source code disclosure with handlers configured via AddType + (CVE-2024-40725) (Important): A partial fix for CVE-2024-39884 + in the core of Apache HTTP Server 2.4.61 ignores some use of the + legacy content-type based configuration of handlers. "AddType" + and similar configuration, under some circumstances where files + are requested indirectly, result in source code disclosure of + local content. For example, PHP scripts may be served instead + of interpreted.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-40725</cvename> + <url>https://httpd.apache.org/security/vulnerabilities_24.html</url>; + </references> + <dates> + <discovery>2024-07-17</discovery> + <entry>2024-07-17</entry> + </dates> + </vuln> + <vuln vid="3b018063-4358-11ef-b611-84a93843eb75"> <topic>MySQL -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202407171848.46HImfC8073722>