588138 – (CVE-2016-4979) <www-servers/apache-2.4.23: http2 module allows client cert authentication bypass (CVE-2016-4979)

Bug 588138 (CVE-2016-4979) - <www-servers/apache-2.4.23: http2 module allows client cert authentication bypass (CVE-2016-4979)

Summary: <www-servers/apache-2.4.23: http2 module allows client cert authentication by...

Status:	RESOLVED FIXED

Alias:	CVE-2016-4979

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2016/q3/12
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:
Blocks:	CVE-2016-1546
	Show dependency tree

Reported:	2016-07-06 07:45 UTC by Hanno Böck
Modified:	2016-10-06 17:29 UTC (History)
CC List:	1 user (show)

See Also:	apache-2.4-stable
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2016-07-06 07:45:31 UTC

See here:
http://seclists.org/oss-sec/2016/q3/12

Only affects installations with mod_h2 enabled, but still quite severe. Please bump.

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-07-06 10:56:17 UTC

commit f86fb40673485432757f6886d64a5948e859bcbe
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Jul 6 11:53:09 2016

    www-servers/apache: Security bump to version 2.4.23 (bug #588138).

    Package-Manager: portage-2.3.0
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Arches please test and mark stable the following two packages:

=app-admin/apache-tools-2.4.23
=www-servers/apache-2.4.23

both with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris

Comment 2 Agostino Sarubbo gentoo-dev

2016-07-06 14:14:52 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2016-07-06 14:15:23 UTC

x86 stable

Comment 4 Agostino Sarubbo gentoo-dev

2016-07-08 08:20:07 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2016-07-08 08:44:22 UTC

sparc stable

Comment 6 Agostino Sarubbo gentoo-dev

2016-07-08 11:03:20 UTC

ppc64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2016-07-08 13:30:38 UTC

ia64 stable

Comment 8 Markus Meier gentoo-dev

2016-07-08 14:31:21 UTC

arm stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2016-07-10 20:59:16 UTC

Stable for HPPA.

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2016-07-16 13:30:21 UTC

Stable on alpha.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2016-07-18 02:44:22 UTC

CVE-2016-4979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4979):
  The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are
  enabled, does not properly recognize the "SSLVerifyClient require" directive
  for HTTP/2 request authorization, which allows remote attackers to bypass
  intended access restrictions by leveraging the ability to send multiple
  requests over a single connection and aborting a renegotiation.

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2016-07-18 02:45:27 UTC

Added to existing GLSA.

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2016-07-18 06:03:16 UTC

@maintainer(s), =www-servers/apache-2.4.20 is vulnerable and needs to be cleaned.  This does not effect 2.2.31 currently in the tree.

Comment 14 Yury German Gentoo Infrastructure

2016-09-26 03:02:21 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2016-10-06 17:26:30 UTC

This issue was resolved and addressed in
 GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02
by GLSA coordinator Kristian Fiskerstrand (K_F).