FS#49958 : apache: CVE 2016-4979 X509 Client certificate based authentication can be bypassed when HTTP/2 is us

FS#49958 - apache: CVE 2016-4979 X509 Client certificate based authentication can be bypassed when HTTP/2 is us

Attached to Project: Arch Linux
Opened by georg (fordprefect) - Tuesday, 05 July 2016, 15:23 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 05 July 2016, 15:38 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
As per announcement versions 2.4.18 - 2.4.20 are vulnerable to authentication bypass with http/2.
Update to 2.4.23 (2.4.21 and 2.4.22 were omitted) fixes this. Package is already flagged out and new version in testing.

[0] https://httpd.apache.org/security/vulnerabilities_24.html
[1] https://www.apache.org/dist/httpd/Announcement2.4.html

This task depends upon

Closed by Levente Polyak (anthraxx)
Tuesday, 05 July 2016, 15:38 GMT
Reason for closing: Fixed
Additional comments about closing: 2.4.23-1

Comment by Levente Polyak (anthraxx) - Tuesday, 05 July 2016, 15:38 GMT

the regular workflow is to close tickets once they are implemented/fixed. Closing this one as the mentioned update is sitting in [testing] already and will soon be moved.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#49958 - apache: CVE 2016-4979 X509 Client certificate based authentication can be bypassed when HTTP/2 is us

Details

Loading...