Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1

To: Yadd <yadd@debian.org>, 1076531@bugs.debian.org
Subject: Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 14 Aug 2024 21:33:17 +0100
Message-id: <[🔎] 6cd2804088a249e1a416690e782a267dce15d998.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1076531@bugs.debian.org
In-reply-to: <172128117347.728118.5907113504961713127.reportbug@yadd-217.xnr.fr>
References: <172128117347.728118.5907113504961713127.reportbug@yadd-217.xnr.fr> <172128117347.728118.5907113504961713127.reportbug@yadd-217.xnr.fr>

Control: tags -1 + confirmed

On Thu, 2024-07-18 at 09:39 +0400, Yadd wrote:
> [ Reason ]
> Apache2 was updated to 2.4.61 due to 8 CVEs. However "a partial fix
> for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores
> some use of the legacy content-type based configuration of handlers.
> "AddType" and similar configuration, under some circumstances where
> files are requested indirectly, result in source code disclosure of
> local content. For example, PHP scripts may
> be served instead of interpreted".
> 
> It's difficult to find in upstream commits what are "under some
> circumstances" neither in upstream explanations.

Please go ahead.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
  - From: Yadd <yadd@debian.org>

Prev by Date: Bug#1076271: bookworm-pu: package dmitry
Next by Date: Processed: Re: Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
Previous by thread: Bug#1076271: bookworm-pu: package dmitry
Next by thread: Processed: Re: Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
Index(es):
- Date
- Thread