Bug 2297362 (CVE-2024-40725)
| Summary: | CVE-2024-40725 httpd: source code disclosure with handlers configured via AddType | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | Buo.Ren.Lin, csutherl, jclere, pjindal, plodge, security-response-team, szappis, vchlup |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in httpd. The fix for CVE-2024-39884 ignores some uses of the legacy content-type based configuration of handlers. "AddType" and similar configurations, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2298751 | ||
| Bug Blocks: | |||
|
Description
Guilherme de Almeida Suckevicz
2024-07-11 16:53:42 UTC
For the record, [the CVE-2024-39884 patch in the 2.4.37-65.module+el8.10.0+22196 version of the httpd package](https://git.rockylinux.org/staging/rpms/httpd/-/blame/r8-stream-2.4/SOURCES/httpd-2.4.37-CVE-2024-39884+.patch?ref_type=heads#L224) already includes [the upstream fix of CVE-2024-40725](https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http/http_request.c?r1=1919249&r2=1919248&pathrev=1919249). |