I tried updating twice to 2.4.60 with portmaster from 2.4.59 and had to revert back to snapshot. After upgrading to 2.4.60, none of the directory pages work (index.php, index.html, etc.) Apache just sends the directory page as a download. However, going to htts://site.com/index.php directly works fine. I am happy to assist to debug. I searched for errors in all error logs with no hint what is broken.
From the changelog ( https://downloads.apache.org/httpd/CHANGES_2.4.60 ): SECURITY: CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (cve.mitre.org) Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Note: Some legacy uses of the 'AddType' directive to connect a request to a handler must be ported to 'SetHandler' after this fix. This is a possible reason.
I dont think that is the issue since the page (such as index.html) loads okay if you load http://site.com/index.html but downloads the file if you just use http://site.com
Sorry, my error. The site I was testing I thought had an index.html but the site owner had hacked/converted the index.html to index.php and the .html file still existed. The issue was I add the old way of AddType for php. I commented the line out and replaced it with: <FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch> That still worked and then upgraded to Apache 2.4.60 and it still worked after that. Thank you for getting me in the right direction nihilesthic@proton.me ! Weldon
Update to 2.4.61 will fix this issue, see bug #280130.