[3.5] apache2: X509 Client certificate based authentication can be bypassed when HTTP/2 is used (CVE-2016-4979)
The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a
X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource.
The net result is that a resource that should require a valid client
certificate
in order to get access can be accessed without that credential.
Fixed in version:
2.4.23
References:
https://mail-archives.apache.org/mod\_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283
(from redmine: issue id 5918, created on 2016-07-19, closed on 2016-07-19)
- Relations:
- parent #5917 (closed)