Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 02 Jul 2024 06:05:36 +0000
From:      bugzilla-noreply@freebsd.org
To:        apache@FreeBSD.org
Subject:   [Bug 280077] www/apache24 2.4.60 mod_dir does not appear to work
Message-ID:  <bug-280077-16115-woYG6eo4Nb@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-280077-16115@https.bugs.freebsd.org/bugzilla/>
References:  <bug-280077-16115@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280077

nihilesthic@proton.me changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nihilesthic@proton.me

--- Comment #1 from nihilesthic@proton.me ---
>From the changelog ( https://downloads.apache.org/httpd/CHANGES_2.4.60 ):

SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org)
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.

Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'SetHandler' after this fix.

This is a possible reason.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280077-16115-woYG6eo4Nb>