Posting through announce@httpd.apache.org mailing list yesterday: "Apache HTTP Server 2.4.61 Released" https://lists.apache.org/thread/wz5hkj1lsptlv431rdn0gs8jvt5ol519 and out of https://downloads.apache.org/httpd/CHANGES_2.4: Changes with Apache 2.4.61 *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType (cve.mitre.org) A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue. This should fix the problem reported in bug #280077.
Created attachment 251868 [details] update to 2.4.61 + add LIB_DEPENDS+=libgdbm.so:databases/gdbm Update to 2.4.61. Also fix build "warning": ====> Running Q/A tests (stage-qa) Error: /usr/local/bin/ab is linked to /usr/local/lib/libgdbm.so.6 from databases/gdbm but it is not declared as a dependency Warning: you need LIB_DEPENDS+=libgdbm.so:databases/gdbm
(In reply to Vladimir Druzenko from comment #1) Thank you Vladimir! I tried the patch and did build on FreeBSD 13.3-RELEASE-p3 / amd64 and can confirm that now PHP works again with 'AddType' as it was the case with 2.4.59.
Hadn't noticed this PR prior to committing the new version yesterday. Thanks for reporting! The libgdbm dep is indirect, it comes from devel/apr1. Fixed by https://cgit.freebsd.org/ports/commit/?id=3d98a45b298ee29bb20a38ba397511c5db0bbf80
(In reply to Bernard Spil from comment #3) > The libgdbm dep is indirect, it comes from devel/apr1. I already found that it add to LIBS result from "apu-1-config --libs", for example from one my host: -ldb-18.1 -lgdbm -lexpat. But I can't find way how to transform this output to: USES+=bdb:18 LIB_DEPENDS+=libgdbm.so:databases/gdbm and etc.