Only affects installations with mod_h2 enabled, but still quite severe. Please bump.
Author: Lars Wendler <firstname.lastname@example.org>
Date: Wed Jul 6 11:53:09 2016
www-servers/apache: Security bump to version 2.4.23 (bug #588138).
Signed-off-by: Lars Wendler <email@example.com>
Arches please test and mark stable the following two packages:
both with target KEYWORDS:
alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
Stable for HPPA.
Stable on alpha.
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are
enabled, does not properly recognize the "SSLVerifyClient require" directive
for HTTP/2 request authorization, which allows remote attackers to bypass
intended access restrictions by leveraging the ability to send multiple
requests over a single connection and aborting a renegotiation.
Added to existing GLSA.
@maintainer(s), =www-servers/apache-2.4.20 is vulnerable and needs to be cleaned. This does not effect 2.2.31 currently in the tree.
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in
GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02
by GLSA coordinator Kristian Fiskerstrand (K_F).