httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1751673 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml
Date Wed, 06 Jul 2016 12:34:50 GMT
Author: jorton
Date: Wed Jul  6 12:34:50 2016
New Revision: 1751673

URL: http://svn.apache.org/viewvc?rev=1751673&view=rev
Log:
Add CVE-2016-4979.

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1751673&r1=1751672&r2=1751673&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Wed Jul  6 12:34:50 2016
@@ -1,5 +1,24 @@
-<security updated="20150717">
+<security updated="20160706">
 
+<issue fixed="2.4.23" reported="20160630" public="20160705" released="20160705">
+<cve name="CVE-2016-4979"/>
+<severity level="4">low</severity>
+<title>TLS/SSL X.509 client certificate auth bypass with HTTP/2</title>
+<description><p>
+
+  For configurations enabling support for HTTP/2, SSL client
+  certificate validation was not enforced if configured, allowing
+  clients unauthorized access to protected resources over HTTP/2.
+
+  This issue affected releases 2.4.18 and 2.4.20 only.
+</p></description>
+<affects prod="httpd" version="2.4.20"/>
+<affects prod="httpd" version="2.4.18"/>
+<acknowledgements>
+This issue was reported by Erki Aring.
+</acknowledgements>
+</issue>
+  
 <issue fixed="2.4.20" reported="20160202" public="20160411" released="20160411">
 <cve name="CVE-2016-1546"/>
 <severity level="4">low</severity>



Mime
View raw message