Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 588138 (CVE-2016-4979)

Summary: <www-servers/apache-2.4.23: http2 module allows client cert authentication bypass (CVE-2016-4979)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2016/q3/12
See Also: https://bugs.gentoo.org/show_bug.cgi?id=468302
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 583276    

Description Hanno Böck gentoo-dev 2016-07-06 07:45:31 UTC 
See here:
http://seclists.org/oss-sec/2016/q3/12

Only affects installations with mod_h2 enabled, but still quite severe. Please bump.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-07-06 10:56:17 UTC 
commit f86fb40673485432757f6886d64a5948e859bcbe
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Jul 6 11:53:09 2016

    www-servers/apache: Security bump to version 2.4.23 (bug #588138).

    Package-Manager: portage-2.3.0
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Arches please test and mark stable the following two packages:

=app-admin/apache-tools-2.4.23
=www-servers/apache-2.4.23

both with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
Comment 2 Agostino Sarubbo gentoo-dev 2016-07-06 14:14:52 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-07-06 14:15:23 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-08 08:20:07 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-08 08:44:22 UTC 
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-08 11:03:20 UTC 
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-07-08 13:30:38 UTC 
ia64 stable
Comment 8 Markus Meier gentoo-dev 2016-07-08 14:31:21 UTC 
arm stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-10 20:59:16 UTC 
Stable for HPPA.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-07-16 13:30:21 UTC 
Stable on alpha.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-07-18 02:44:22 UTC 
CVE-2016-4979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4979):
  The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are
  enabled, does not properly recognize the "SSLVerifyClient require" directive
  for HTTP/2 request authorization, which allows remote attackers to bypass
  intended access restrictions by leveraging the ability to send multiple
  requests over a single connection and aborting a renegotiation.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 02:45:27 UTC 
Added to existing GLSA.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 06:03:16 UTC 
@maintainer(s), =www-servers/apache-2.4.20 is vulnerable and needs to be cleaned.  This does not effect 2.2.31 currently in the tree.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-09-26 03:02:21 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-10-06 17:26:30 UTC 
This issue was resolved and addressed in
 GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02
by GLSA coordinator Kristian Fiskerstrand (K_F).