httpd-2.4.62

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

Changes with Apache 2.4.62

• mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets with BalancerMember(s).
• mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
• mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
• mod_ssl: Add support for loading certs/keys from pkcs11: URIs via OpenSSL 3.x providers.
• mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
• mpm_worker: Fix possible warning (AH00045) about children processes not terminating timely.

[Bruce Dubbs]

Fixed at commits

df2c1af144 Update to cmake-3.30.1.
2ec10c47f4 Update to httpd-2.4.62.

[Douglas R. Reno]

CVE-2024-40725

Severity: important

Affected versions:

- Apache HTTP Server 2.4.60 through 2.4.61

Description:

A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some 
use of the legacy content-type based configuration of handlers. "AddType" and similar 
configuration, under some circumstances where files are requested indirectly, result in 
source code disclosure of local content. For example, PHP scripts may be served instead 
of interpreted.

Users are recommended to upgrade to version 2.4.62, which fixes this issue.

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-40725

Timeline:

2024-07-09: reported

[Douglas R. Reno]

SA-12.1-067 updated to point users towards this version of httpd