Suggested advisory:
========================

The updated packages fix a security vulnerability:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. (CVE-2024-36387)

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. (CVE-2024-38473)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. (CVE-2024-38475)

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.  (CVE-2024-38476)

Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. (CVE-2024-38477)

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. (CVE-2024-39573)

References:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11
========================

Updated packages in core/updates_testing:
========================
apache-2.4.60-1.mga9
apache-devel-2.4.60-1.mga9
apache-doc-2.4.60-1.mga9
apache-htcacheclean-2.4.60-1.mga9
apache-mod_brotli-2.4.60-1.mga9
apache-mod_cache-2.4.60-1.mga9
apache-mod_dav-2.4.60-1.mga9
apache-mod_dbd-2.4.60-1.mga9
apache-mod_http2-2.4.60-1.mga9
apache-mod_ldap-2.4.60-1.mga9
apache-mod_proxy-2.4.60-1.mga9
apache-mod_proxy_html-2.4.60-1.mga9
apache-mod_session-2.4.60-1.mga9
apache-mod_ssl-2.4.60-1.mga9
apache-mod_suexec-2.4.60-1.mga9
apache-mod_userdir-2.4.60-1.mga9

from SRPM:
apache-2.4.60-1.mga9.src.rpm

Status comment: Fixed upstream in 2.4.60 => (none)
Status: NEW => ASSIGNED
Source RPM: apache-2.4.59-1.mga10.src.rpm => apache-2.4.59-1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-mod_ssl-2.4.60-1.mga9.x86_64.rpm apache-2.4.60-1.mga9.x86_64.rpm apache-mod_proxy-2.4.60-1.mga9.x86_64.rpm apache-mod_userdir-2.4.60-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_ssl        ##################################################################################################
      3/4: apache-mod_proxy      ##################################################################################################
      4/4: apache-mod_userdir    ##################################################################################################
      1/4: removing apache-mod_userdir-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_proxy-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_ssl-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing apache-2.4.59-1.mga9.x86_64
                                 ##################################################################################################
                
systemctl start httpd.service 
systemctl -l status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-07-02 16:40:33 CST; 8s ago
   Main PID: 66718 (httpd)
     Status: "Processing requests..."
      Tasks: 6 (limit: 6904)
     Memory: 6.1M
        CPU: 79ms
     CGroup: /system.slice/httpd.service
             ├─66718 /usr/sbin/httpd -DFOREGROUND
             ├─66742 /usr/sbin/httpd -DFOREGROUND
             ├─66743 /usr/sbin/httpd -DFOREGROUND
             ├─66744 /usr/sbin/httpd -DFOREGROUND
             ├─66745 /usr/sbin/httpd -DFOREGROUND
             └─66746 /usr/sbin/httpd -DFOREGROUND

jul 02 16:40:17 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 02 16:40:33 jgrey.phoenix systemd[1]: Started httpd.service.

I can connect to my site from other remote system

MGA9-64 Plasma Wayland on HP-Pavillion
No isntallation issues.
Tested by running local phpmyadmin and browsing around in my test-databeses.
All works OK.

CC: (none) => herman.viaene

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. (CVE-2024-36387)

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. (CVE-2024-38473)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. (CVE-2024-38475)

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.  (CVE-2024-38476)

Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. (CVE-2024-38477)

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. (CVE-2024-39573)

References:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11
========================

Updated packages in core/updates_testing:
========================
apache-2.4.60-2.mga9
apache-devel-2.4.60-2.mga9
apache-doc-2.4.60-2.mga9
apache-htcacheclean-2.4.60-2.mga9
apache-mod_brotli-2.4.60-2.mga9
apache-mod_cache-2.4.60-2.mga9
apache-mod_dav-2.4.60-2.mga9
apache-mod_dbd-2.4.60-2.mga9
apache-mod_http2-2.4.60-2.mga9
apache-mod_ldap-2.4.60-2.mga9
apache-mod_proxy-2.4.60-2.mga9
apache-mod_proxy_html-2.4.60-2.mga9
apache-mod_session-2.4.60-2.mga9
apache-mod_ssl-2.4.60-2.mga9
apache-mod_suexec-2.4.60-2.mga9
apache-mod_userdir-2.4.60-2.mga9

from SRPM:
apache-2.4.60-2.mga9.src.rpm

Keywords: advisory => (none)

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-2.4.60-2.mga9.x86_64.rpm apache-mod_userdir-2.4.60-2.mga9.x86_64.rpm apache-mod_ssl-2.4.60-2.mga9.x86_64.rpm apache-mod_proxy-2.4.60-2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_userdir    ##################################################################################################
      3/4: apache-mod_ssl        ##################################################################################################
      4/4: apache-mod_proxy      ##################################################################################################
      1/4: removing apache-mod_proxy-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_ssl-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_userdir-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing apache-2.4.60-1.mga9.x86_64
                                 ##################################################################################################
----------------------------------------------------------------------
More information on package apache-2.4.60-2.mga9.x86_64
Starting with Apache 2.4.60, the fix for CVE-2024-38476 (Apache HTTP Server may
use exploitable/malicious backend application output to run local handlers via
internal redirect) caused some changes regarding the 'AddType' directive.

Some legacy uses of the 'AddType' directive to connect a request to a handler
must be ported to 'AddHandler'.

For instance, in order to use apache-mod_php or php-fpm-apache, be sure the
directives 'AddType application/x-httpd-php...' in 70_mod_php.conf or
10_php-fpm.conf were replaced by 'AddHandler application/x-httpd-php'.

----------------------------------------------------------------------

systemctl restart httpd.service 
systemctl -l status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-07-03 10:30:11 CST; 20s ago
   Main PID: 132486 (httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 6904)
     Memory: 6.0M
        CPU: 69ms
     CGroup: /system.slice/httpd.service
             ├─132486 /usr/sbin/httpd -DFOREGROUND
             ├─132488 /usr/sbin/httpd -DFOREGROUND
             ├─132489 /usr/sbin/httpd -DFOREGROUND
             ├─132490 /usr/sbin/httpd -DFOREGROUND
             ├─132491 /usr/sbin/httpd -DFOREGROUND
             └─132492 /usr/sbin/httpd -DFOREGROUND

jul 03 10:30:11 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 03 10:30:11 jgrey.phoenix systemd[1]: Started httpd.service.

I have mixed behavior with my php pages some works other not, I need to check the warning but looks good the basic things

Installed and tested without issues.

Tested for a day with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- custom logs;
- HTTP 1.1/2 and 1.1 to 2 upgrade;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- PHP through FPM;
- multiple PHP scripts;
- Reverse proxies (e.g. gitea, goaccess). 
- mod_rewrite;
- mod_security.



System: Mageia 8, x86_64, Intel(R) Core(TM) i5-4590 CPU.



# uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep -P 'apache.*2\.4\.60-2' | sort
apache-2.4.60-2.mga9
apache-mod_http2-2.4.60-2.mga9
apache-mod_proxy-2.4.60-2.mga9
apache-mod_proxy_html-2.4.60-2.mga9
apache-mod_ssl-2.4.60-2.mga9
# systemctl status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Wed 2024-07-03 16:54:25 WEST; 17h ago
    Process: 1318965 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
   Main PID: 929995 (httpd)
     Status: "Total requests: 6052; Idle/Busy workers 100/0;Requests/sec: 0.095; Bytes served/sec: 3.0KB/sec"
      Tasks: 66 (limit: 19042)
     Memory: 106.5M
        CPU: 22.590s
     CGroup: /system.slice/httpd.service
             ├─ 929995 /usr/sbin/httpd -DFOREGROUND
             ├─1319021 /usr/sbin/httpd -DFOREGROUND
             └─1319025 /usr/sbin/httpd -DFOREGROUND

jul 03 16:54:25 marte systemd[1]: Starting httpd.service...
jul 03 16:54:25 marte systemd[1]: Started httpd.service.
jul 04 04:07:09 marte systemd[1]: Reloading httpd.service...
jul 04 04:07:09 marte systemd[1]: Reloaded httpd.service.