ISHACK AI BOT

Artifex Ghostscript: (CVE-2024-33869) Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/03/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. Solution(s) ghostscript-upgrade-10_03_1 References https://attackerkb.com/topics/cve-2024-33869 CVE - 2024-33869

Debian: CVE-2024-39844: znc -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/03/2024 Created 07/09/2024 Added 07/09/2024 Modified 07/09/2024 Description In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. Solution(s) debian-upgrade-znc References https://attackerkb.com/topics/cve-2024-39844 CVE - 2024-39844 DSA-5725-1

Red Hat: CVE-2024-29510: ghostscript: format string injection leads to shell command execution (SAFER bypass) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:N) Published 07/03/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/13/2024 Description Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. Solution(s) redhat-upgrade-ghostscript redhat-upgrade-ghostscript-debuginfo redhat-upgrade-ghostscript-debugsource redhat-upgrade-ghostscript-doc redhat-upgrade-ghostscript-gtk-debuginfo redhat-upgrade-ghostscript-tools-dvipdf redhat-upgrade-ghostscript-tools-fonts redhat-upgrade-ghostscript-tools-printing redhat-upgrade-ghostscript-x11 redhat-upgrade-ghostscript-x11-debuginfo redhat-upgrade-libgs redhat-upgrade-libgs-debuginfo redhat-upgrade-libgs-devel References CVE-2024-29510 RHSA-2024:6197 RHSA-2024:6466

Red Hat: CVE-2024-33869: ghostscript: path traversal and command execution due to path reduction (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:P) Published 07/03/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/13/2024 Description An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. Solution(s) redhat-upgrade-ghostscript redhat-upgrade-ghostscript-debuginfo redhat-upgrade-ghostscript-debugsource redhat-upgrade-ghostscript-doc redhat-upgrade-ghostscript-gtk-debuginfo redhat-upgrade-ghostscript-tools-dvipdf redhat-upgrade-ghostscript-tools-fonts redhat-upgrade-ghostscript-tools-printing redhat-upgrade-ghostscript-x11 redhat-upgrade-ghostscript-x11-debuginfo redhat-upgrade-libgs redhat-upgrade-libgs-debuginfo redhat-upgrade-libgs-devel References CVE-2024-33869 RHSA-2024:6197 RHSA-2024:6466

Amazon Linux 2023: CVE-2023-52168: Medium priority package update for p7zip Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 07/03/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. Solution(s) amazon-linux-2023-upgrade-p7zip amazon-linux-2023-upgrade-p7zip-debugsource amazon-linux-2023-upgrade-p7zip-doc amazon-linux-2023-upgrade-p7zip-plugins amazon-linux-2023-upgrade-p7zip-plugins-debuginfo References https://attackerkb.com/topics/cve-2023-52168 CVE - 2023-52168 https://alas.aws.amazon.com/AL2023/ALAS-2024-705.html

Ubuntu: USN-6897-1 (CVE-2024-29506): Ghostscript vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/03/2024 Created 07/16/2024 Added 07/16/2024 Modified 01/28/2025 Description Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name. Solution(s) ubuntu-upgrade-ghostscript ubuntu-upgrade-libgs10 ubuntu-upgrade-libgs9 References https://attackerkb.com/topics/cve-2024-29506 CVE - 2024-29506 USN-6897-1

Huawei EulerOS: CVE-2024-33869: ghostscript security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/03/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename. Solution(s) huawei-euleros-2_0_sp9-upgrade-ghostscript huawei-euleros-2_0_sp9-upgrade-ghostscript-help References https://attackerkb.com/topics/cve-2024-33869 CVE - 2024-33869 EulerOS-SA-2024-2389

Huawei EulerOS: CVE-2024-33870: ghostscript security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/03/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. Solution(s) huawei-euleros-2_0_sp9-upgrade-ghostscript huawei-euleros-2_0_sp9-upgrade-ghostscript-help References https://attackerkb.com/topics/cve-2024-33870 CVE - 2024-33870 EulerOS-SA-2024-2389

Red Hat: CVE-2024-34750: tomcat: Improper Handling of Exceptional Conditions (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/03/2024 Created 09/04/2024 Added 09/03/2024 Modified 09/13/2024 Description Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. Solution(s) redhat-upgrade-tomcat redhat-upgrade-tomcat-admin-webapps redhat-upgrade-tomcat-docs-webapp redhat-upgrade-tomcat-el-3-0-api redhat-upgrade-tomcat-jsp-2-3-api redhat-upgrade-tomcat-lib redhat-upgrade-tomcat-servlet-4-0-api redhat-upgrade-tomcat-webapps References CVE-2024-34750 RHSA-2024:5693 RHSA-2024:5694 RHSA-2024:5695 RHSA-2024:5696

Red Hat: CVE-2024-33870: ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:P) Published 07/03/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/13/2024 Description An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. Solution(s) redhat-upgrade-ghostscript redhat-upgrade-ghostscript-debuginfo redhat-upgrade-ghostscript-debugsource redhat-upgrade-ghostscript-doc redhat-upgrade-ghostscript-gtk-debuginfo redhat-upgrade-ghostscript-tools-dvipdf redhat-upgrade-ghostscript-tools-fonts redhat-upgrade-ghostscript-tools-printing redhat-upgrade-ghostscript-x11 redhat-upgrade-ghostscript-x11-debuginfo redhat-upgrade-libgs redhat-upgrade-libgs-debuginfo redhat-upgrade-libgs-devel References CVE-2024-33870 RHSA-2024:6197 RHSA-2024:6466

Huawei EulerOS: CVE-2024-29508: ghostscript security update Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 07/03/2024 Created 11/12/2024 Added 11/11/2024 Modified 01/28/2025 Description Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc. Solution(s) huawei-euleros-2_0_sp9-upgrade-ghostscript huawei-euleros-2_0_sp9-upgrade-ghostscript-help References https://attackerkb.com/topics/cve-2024-29508 CVE - 2024-29508 EulerOS-SA-2024-2829

Huawei EulerOS: CVE-2024-29510: ghostscript security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/03/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. Solution(s) huawei-euleros-2_0_sp9-upgrade-ghostscript huawei-euleros-2_0_sp9-upgrade-ghostscript-help References https://attackerkb.com/topics/cve-2024-29510 CVE - 2024-29510 EulerOS-SA-2024-2389

Apache Tomcat: Important: Denial of Service (CVE-2024-34750) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/04/2024 Created 07/04/2024 Added 07/04/2024 Modified 10/05/2024 Description Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. Solution(s) apache-tomcat-upgrade-10_1_25 apache-tomcat-upgrade-9_0_90 References https://attackerkb.com/topics/cve-2024-34750 CVE - 2024-34750 http://tomcat.apache.org/security-10.html http://tomcat.apache.org/security-9.html

Red Hat: CVE-2024-39936: qtbase: qtbase: Delay any communication until encrypted() can be responded to (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 07/04/2024 Created 07/20/2024 Added 07/19/2024 Modified 09/02/2024 Description An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. Solution(s) redhat-upgrade-qt5-qtbase redhat-upgrade-qt5-qtbase-common redhat-upgrade-qt5-qtbase-debuginfo redhat-upgrade-qt5-qtbase-debugsource redhat-upgrade-qt5-qtbase-devel redhat-upgrade-qt5-qtbase-devel-debuginfo redhat-upgrade-qt5-qtbase-examples redhat-upgrade-qt5-qtbase-examples-debuginfo redhat-upgrade-qt5-qtbase-gui redhat-upgrade-qt5-qtbase-gui-debuginfo redhat-upgrade-qt5-qtbase-mysql redhat-upgrade-qt5-qtbase-mysql-debuginfo redhat-upgrade-qt5-qtbase-odbc redhat-upgrade-qt5-qtbase-odbc-debuginfo redhat-upgrade-qt5-qtbase-postgresql redhat-upgrade-qt5-qtbase-postgresql-debuginfo redhat-upgrade-qt5-qtbase-private-devel redhat-upgrade-qt5-qtbase-static redhat-upgrade-qt5-qtbase-tests-debuginfo References CVE-2024-39936 RHSA-2024:4617 RHSA-2024:4623 RHSA-2024:4638 RHSA-2024:4639

Alpine Linux: CVE-2024-39929: Vulnerability in Multiple Components Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 07/04/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. Solution(s) alpine-linux-upgrade-exim References https://attackerkb.com/topics/cve-2024-39929 CVE - 2024-39929 https://security.alpinelinux.org/vuln/CVE-2024-39929

Huawei EulerOS: CVE-2024-39884: httpd security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/04/2024 Created 10/10/2024 Added 10/09/2024 Modified 10/09/2024 Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Solution(s) huawei-euleros-2_0_sp12-upgrade-httpd huawei-euleros-2_0_sp12-upgrade-httpd-filesystem huawei-euleros-2_0_sp12-upgrade-httpd-tools huawei-euleros-2_0_sp12-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-39884 CVE - 2024-39884 EulerOS-SA-2024-2529

SUSE: CVE-2024-39929: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/04/2024 Created 07/27/2024 Added 07/26/2024 Modified 07/26/2024 Description Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. Solution(s) suse-upgrade-exim suse-upgrade-eximon suse-upgrade-eximstats-html References https://attackerkb.com/topics/cve-2024-39929 CVE - 2024-39929

Oracle Linux: CVE-2024-39936: ELSA-2024-4623:qt5-qtbase security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 07/04/2024 Created 07/20/2024 Added 08/16/2024 Modified 01/08/2025 Description An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. A vulnerability was found in Qt where, during a TLS connection for servers supporting HTTP2, Qt may send data to a server even if the TLS certificate doesn't match the redirected address. This occurs because Qt fails to validate the certificate against the redirected address, potentially sending data to an incorrect or malicious server. Solution(s) oracle-linux-upgrade-qt5-qtbase oracle-linux-upgrade-qt5-qtbase-common oracle-linux-upgrade-qt5-qtbase-devel oracle-linux-upgrade-qt5-qtbase-doc oracle-linux-upgrade-qt5-qtbase-examples oracle-linux-upgrade-qt5-qtbase-gui oracle-linux-upgrade-qt5-qtbase-mysql oracle-linux-upgrade-qt5-qtbase-odbc oracle-linux-upgrade-qt5-qtbase-postgresql oracle-linux-upgrade-qt5-qtbase-private-devel oracle-linux-upgrade-qt5-qtbase-static oracle-linux-upgrade-qt5-rpm-macros References https://attackerkb.com/topics/cve-2024-39936 CVE - 2024-39936 ELSA-2024-4623 ELSA-2024-4617 ELSA-2024-4647

Amazon Linux 2023: CVE-2024-39884: Important priority package update for httpd Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 07/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. A flaw was found in httpd. The fix for CVE-2024-38476 ignores some uses of the legacy content-type based configuration of handlers. "AddType" and similar configurations, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Solution(s) amazon-linux-2023-upgrade-httpd amazon-linux-2023-upgrade-httpd-core amazon-linux-2023-upgrade-httpd-core-debuginfo amazon-linux-2023-upgrade-httpd-debuginfo amazon-linux-2023-upgrade-httpd-debugsource amazon-linux-2023-upgrade-httpd-devel amazon-linux-2023-upgrade-httpd-filesystem amazon-linux-2023-upgrade-httpd-manual amazon-linux-2023-upgrade-httpd-tools amazon-linux-2023-upgrade-httpd-tools-debuginfo amazon-linux-2023-upgrade-mod-ldap amazon-linux-2023-upgrade-mod-ldap-debuginfo amazon-linux-2023-upgrade-mod-lua amazon-linux-2023-upgrade-mod-lua-debuginfo amazon-linux-2023-upgrade-mod-proxy-html amazon-linux-2023-upgrade-mod-proxy-html-debuginfo amazon-linux-2023-upgrade-mod-session amazon-linux-2023-upgrade-mod-session-debuginfo amazon-linux-2023-upgrade-mod-ssl amazon-linux-2023-upgrade-mod-ssl-debuginfo References https://attackerkb.com/topics/cve-2024-39884 CVE - 2024-39884 https://alas.aws.amazon.com/AL2023/ALAS-2024-656.html

Oracle Linux: CVE-2024-6501: ELSA-2024-9317:NetworkManager security update (LOW) (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 07/04/2024 Created 11/23/2024 Added 11/21/2024 Modified 01/07/2025 Description A flaw was found in NetworkManager. When a system running NetworkManager with DEBUG logs enabled and an interface eth1 configured with LLDP enabled, a malicious user could inject a malformed LLDP packet. NetworkManager would crash, leading to a denial of service. Solution(s) oracle-linux-upgrade-networkmanager oracle-linux-upgrade-networkmanager-adsl oracle-linux-upgrade-networkmanager-bluetooth oracle-linux-upgrade-networkmanager-cloud-setup oracle-linux-upgrade-networkmanager-config-connectivity-oracle oracle-linux-upgrade-networkmanager-config-server oracle-linux-upgrade-networkmanager-dispatcher-routing-rules oracle-linux-upgrade-networkmanager-initscripts-updown oracle-linux-upgrade-networkmanager-libnm oracle-linux-upgrade-networkmanager-libnm-devel oracle-linux-upgrade-networkmanager-ovs oracle-linux-upgrade-networkmanager-ppp oracle-linux-upgrade-networkmanager-team oracle-linux-upgrade-networkmanager-tui oracle-linux-upgrade-networkmanager-wifi oracle-linux-upgrade-networkmanager-wwan References https://attackerkb.com/topics/cve-2024-6501 CVE - 2024-6501 ELSA-2024-9317

Amazon Linux AMI 2: CVE-2024-39884: Security patch for httpd (ALAS-2024-2594) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/04/2024 Created 07/23/2024 Added 07/23/2024 Modified 07/23/2024 Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-39884 AL2/ALAS-2024-2594 CVE - 2024-39884

Apache HTTPD: Apache HTTP Server: source code disclosure with handlers configured via AddType (CVE-2024-39884) Severity 5 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:N) Published 07/04/2024 Created 10/14/2024 Added 10/14/2024 Modified 12/09/2024 Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Solution(s) apache-httpd-upgrade-latest References https://attackerkb.com/topics/cve-2024-39884 http://www.openwall.com/lists/oss-security/2024/07/03/8 http://www.openwall.com/lists/oss-security/2024/07/17/6 https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0002/ CVE - 2024-39884

Debian: CVE-2024-39929: exim4 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/04/2024 Created 07/12/2024 Added 07/12/2024 Modified 07/12/2024 Description Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users. Solution(s) debian-upgrade-exim4 References https://attackerkb.com/topics/cve-2024-39929 CVE - 2024-39929 DSA-5728-1

Debian: CVE-2024-39884: apache2 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/04/2024 Created 10/18/2024 Added 10/18/2024 Modified 10/18/2024 Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Solution(s) debian-upgrade-apache2 References https://attackerkb.com/topics/cve-2024-39884 CVE - 2024-39884

VMware Photon OS: CVE-2024-39884 Severity 5 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:N) Published 07/04/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-39884 CVE - 2024-39884