[Bug 280077] www/apache24 2.4.60 mod_dir does not appear to work

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 280077] www/apache24 2.4.60 mod_dir does not appear to work"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 02 Jul 2024 06:05:36 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280077

nihilesthic@proton.me changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nihilesthic@proton.me

--- Comment #1 from nihilesthic@proton.me ---
From the changelog ( https://downloads.apache.org/httpd/CHANGES_2.4.60 ):

SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org)
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.

Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'SetHandler' after this fix.

This is a possible reason.

-- 
You are receiving this mail because:
You are the assignee for the bug.