You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by jo...@apache.org on 2016/07/06 12:34:50 UTC

svn commit: r1751673 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: jorton
Date: Wed Jul  6 12:34:50 2016
New Revision: 1751673

URL: http://svn.apache.org/viewvc?rev=1751673&view=rev
Log:
Add CVE-2016-4979.

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1751673&r1=1751672&r2=1751673&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Wed Jul  6 12:34:50 2016
@@ -1,5 +1,24 @@
-<security updated="20150717">
+<security updated="20160706">
 
+<issue fixed="2.4.23" reported="20160630" public="20160705" released="20160705">
+<cve name="CVE-2016-4979"/>
+<severity level="4">low</severity>
+<title>TLS/SSL X.509 client certificate auth bypass with HTTP/2</title>
+<description><p>
+
+  For configurations enabling support for HTTP/2, SSL client
+  certificate validation was not enforced if configured, allowing
+  clients unauthorized access to protected resources over HTTP/2.
+
+  This issue affected releases 2.4.18 and 2.4.20 only.
+</p></description>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<acknowledgements>
+This issue was reported by Erki Aring.
+</acknowledgements>
+</issue>
+  
 <issue fixed="2.4.20" reported="20160202" public="20160411" released="20160411">
 <cve name="CVE-2016-1546"/>
 <severity level="4">low</severity>