Apache Software Foundation has released Apache HTTP Server version 2.4.61, a crucial update that addresses a severe source code disclosure vulnerability that could expose sensitive server-side information to malicious actors.
The vulnerability tracked as CVE-2024-39884 resides from a regression in the handling of legacy content-type based configurations. Specifically, the “AddType” directive and similar settings, when used under specific circumstances, could inadvertently reveal the source code of files intended to be processed. This could include server-side scripts, configuration files, or other sensitive data.
The Apache team urges all users of Apache HTTP Server 2.4.60 to immediately upgrade to version 2.4.61. This update not only patches the source code disclosure flaw but also addresses several other vulnerabilities and bugs discovered in the previous version.
Customers consider implementing additional security measures such as web application firewalls, intrusion detection systems, and regular vulnerability scanning to fortify your defenses against evolving threats.
For further information on the vulnerabilities fixed in Apache HTTP Server 2.4.61, refer to the official security advisory on the Apache website.
