Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1076531@bugs.debian.org
Subject: Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
From: Yadd <yadd@debian.org>
Date: Thu, 15 Aug 2024 05:09:38 +0400
Message-id: <[🔎] 3a53b717-e4bb-4d79-be85-41dd1b1d8abd@debian.org>
Reply-to: Yadd <yadd@debian.org>, 1076531@bugs.debian.org
In-reply-to: <[🔎] 6cd2804088a249e1a416690e782a267dce15d998.camel@adam-barratt.org.uk>
References: <172128117347.728118.5907113504961713127.reportbug@yadd-217.xnr.fr> <[🔎] 6cd2804088a249e1a416690e782a267dce15d998.camel@adam-barratt.org.uk> <172128117347.728118.5907113504961713127.reportbug@yadd-217.xnr.fr>

Hi Adam,

can I do the same with Bullseye ?

On 8/15/24 00:33, Adam D. Barratt wrote:

Control: tags -1 + confirmed

On Thu, 2024-07-18 at 09:39 +0400, Yadd wrote:

[ Reason ]
Apache2 was updated to 2.4.61 due to 8 CVEs. However "a partial fix
for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores
some use of the legacy content-type based configuration of handlers.
"AddType" and similar configuration, under some circumstances where
files are requested indirectly, result in source code disclosure of
local content. For example, PHP scripts may
be served instead of interpreted".

It's difficult to find in upstream commits what are "under some
circumstances" neither in upstream explanations.


Please go ahead.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: bullseye-pu: package bind9/1:9.16.50-1~deb11u2
Next by Date: Bug#1078083: transition: ace
Previous by thread: Processed: Re: Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
Next by thread: Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
Index(es):
- Date
- Thread