CVE-2016-4979
Published: 6 July 2016
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
Notes
Author | Note |
---|---|
mdeslaur | advisory says introduced in 2.4.18 xenial package not built with mod_http2 support |
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
apache2 Launchpad, Ubuntu, Debian |
upstream |
Released
(2.4.23-1)
|
precise |
Not vulnerable
(code not present)
|
|
trusty |
Not vulnerable
(code not present)
|
|
wily |
Not vulnerable
(code not present)
|
|
xenial |
Not vulnerable
(no mod_http2 support)
|
|
Patches: upstream: https://svn.apache.org/r1750779 |