See here: http://seclists.org/oss-sec/2016/q3/12 Only affects installations with mod_h2 enabled, but still quite severe. Please bump.
commit f86fb40673485432757f6886d64a5948e859bcbe Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Jul 6 11:53:09 2016 www-servers/apache: Security bump to version 2.4.23 (bug #588138). Package-Manager: portage-2.3.0 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Arches please test and mark stable the following two packages: =app-admin/apache-tools-2.4.23 =www-servers/apache-2.4.23 both with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
amd64 stable
x86 stable
ppc stable
sparc stable
ppc64 stable
ia64 stable
arm stable
Stable for HPPA.
Stable on alpha.
CVE-2016-4979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4979): The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
Added to existing GLSA.
@maintainer(s), =www-servers/apache-2.4.20 is vulnerable and needs to be cleaned. This does not effect 2.2.31 currently in the tree.
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201610-02 at https://security.gentoo.org/glsa/201610-02 by GLSA coordinator Kristian Fiskerstrand (K_F).
