FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used

Affected packages
2.4.18 <= apache24 < 2.4.23

Details

VuXML ID e9d1e040-42c9-11e6-9608-20cf30e32f6d
Discovery 2016-07-01
Entry 2016-07-05

Apache Software Foundation reports:

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.

The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.

References

CVE Name CVE-2016-4979
URL http://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283