ALAS-2024-681


Amazon Linux 2023 Security Advisory: ALAS-2024-681
Advisory Release Date: 2024-08-01 04:06 Pacific
Advisory Updated Date: 2024-08-06 15:00 Pacific
Severity: Important

Issue Overview:

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.62, which fixes this issue. (CVE-2024-40725)


Affected Packages:

httpd


Issue Correction:
Run dnf update httpd --releasever 2023.5.20240805 to update your system.

New Packages:
aarch64:
    mod_lua-debuginfo-2.4.62-1.amzn2023.aarch64
    httpd-debuginfo-2.4.62-1.amzn2023.aarch64
    mod_proxy_html-2.4.62-1.amzn2023.aarch64
    httpd-tools-debuginfo-2.4.62-1.amzn2023.aarch64
    mod_session-debuginfo-2.4.62-1.amzn2023.aarch64
    httpd-tools-2.4.62-1.amzn2023.aarch64
    mod_ldap-2.4.62-1.amzn2023.aarch64
    httpd-2.4.62-1.amzn2023.aarch64
    mod_session-2.4.62-1.amzn2023.aarch64
    mod_ldap-debuginfo-2.4.62-1.amzn2023.aarch64
    mod_lua-2.4.62-1.amzn2023.aarch64
    mod_ssl-2.4.62-1.amzn2023.aarch64
    httpd-devel-2.4.62-1.amzn2023.aarch64
    mod_ssl-debuginfo-2.4.62-1.amzn2023.aarch64
    httpd-debugsource-2.4.62-1.amzn2023.aarch64
    mod_proxy_html-debuginfo-2.4.62-1.amzn2023.aarch64
    httpd-core-debuginfo-2.4.62-1.amzn2023.aarch64
    httpd-core-2.4.62-1.amzn2023.aarch64

noarch:
    httpd-filesystem-2.4.62-1.amzn2023.noarch
    httpd-manual-2.4.62-1.amzn2023.noarch

src:
    httpd-2.4.62-1.amzn2023.src

x86_64:
    httpd-devel-2.4.62-1.amzn2023.x86_64
    mod_ldap-debuginfo-2.4.62-1.amzn2023.x86_64
    httpd-debuginfo-2.4.62-1.amzn2023.x86_64
    httpd-debugsource-2.4.62-1.amzn2023.x86_64
    mod_proxy_html-debuginfo-2.4.62-1.amzn2023.x86_64
    mod_session-2.4.62-1.amzn2023.x86_64
    mod_lua-debuginfo-2.4.62-1.amzn2023.x86_64
    httpd-tools-debuginfo-2.4.62-1.amzn2023.x86_64
    mod_lua-2.4.62-1.amzn2023.x86_64
    mod_ldap-2.4.62-1.amzn2023.x86_64
    mod_ssl-debuginfo-2.4.62-1.amzn2023.x86_64
    mod_proxy_html-2.4.62-1.amzn2023.x86_64
    httpd-2.4.62-1.amzn2023.x86_64
    mod_ssl-2.4.62-1.amzn2023.x86_64
    httpd-tools-2.4.62-1.amzn2023.x86_64
    mod_session-debuginfo-2.4.62-1.amzn2023.x86_64
    httpd-core-2.4.62-1.amzn2023.x86_64
    httpd-core-debuginfo-2.4.62-1.amzn2023.x86_64