FS#49958 - apache: CVE 2016-4979 X509 Client certificate based authentication can be bypassed when HTTP/2 is us
Attached to Project:
Arch Linux
Opened by georg (fordprefect) - Tuesday, 05 July 2016, 15:23 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 05 July 2016, 15:38 GMT
Opened by georg (fordprefect) - Tuesday, 05 July 2016, 15:23 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 05 July 2016, 15:38 GMT
|
Details
Description:
As per announcement versions 2.4.18 - 2.4.20 are vulnerable to authentication bypass with http/2. Update to 2.4.23 (2.4.21 and 2.4.22 were omitted) fixes this. Package is already flagged out and new version in testing. [0] https://httpd.apache.org/security/vulnerabilities_24.html [1] https://www.apache.org/dist/httpd/Announcement2.4.html |
This task depends upon
Closed by Levente Polyak (anthraxx)
Tuesday, 05 July 2016, 15:38 GMT
Reason for closing: Fixed
Additional comments about closing: 2.4.23-1
Tuesday, 05 July 2016, 15:38 GMT
Reason for closing: Fixed
Additional comments about closing: 2.4.23-1
Comment by
Levente Polyak (anthraxx) -
Tuesday, 05 July 2016, 15:38 GMT
the regular workflow is to close tickets once they are
implemented/fixed. Closing this one as the mentioned update is
sitting in [testing] already and will soon be moved.