Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 588138 (CVE-2016-4979) - <www-servers/apache-2.4.23: http2 module allows client cert authentication bypass (CVE-2016-4979)
Summary: <www-servers/apache-2.4.23: http2 module allows client cert authentication by...
Alias: CVE-2016-4979
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Blocks: CVE-2016-1546
  Show dependency tree
Reported: 2016-07-06 07:45 UTC by Hanno Böck
Modified: 2016-10-06 17:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2016-07-06 07:45:31 UTC
See here:

Only affects installations with mod_h2 enabled, but still quite severe. Please bump.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-07-06 10:56:17 UTC
commit f86fb40673485432757f6886d64a5948e859bcbe
Author: Lars Wendler <>
Date:   Wed Jul 6 11:53:09 2016

    www-servers/apache: Security bump to version 2.4.23 (bug #588138).

    Package-Manager: portage-2.3.0
    Signed-off-by: Lars Wendler <>

Arches please test and mark stable the following two packages:


both with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris
Comment 2 Agostino Sarubbo gentoo-dev 2016-07-06 14:14:52 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-07-06 14:15:23 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-07-08 08:20:07 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-08 08:44:22 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-08 11:03:20 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-07-08 13:30:38 UTC
ia64 stable
Comment 8 Markus Meier gentoo-dev 2016-07-08 14:31:21 UTC
arm stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-10 20:59:16 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-07-16 13:30:21 UTC
Stable on alpha.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-07-18 02:44:22 UTC
CVE-2016-4979 (
  The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are
  enabled, does not properly recognize the "SSLVerifyClient require" directive
  for HTTP/2 request authorization, which allows remote attackers to bypass
  intended access restrictions by leveraging the ability to send multiple
  requests over a single connection and aborting a renegotiation.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 02:45:27 UTC
Added to existing GLSA.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 06:03:16 UTC
@maintainer(s), =www-servers/apache-2.4.20 is vulnerable and needs to be cleaned.  This does not effect 2.2.31 currently in the tree.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-09-26 03:02:21 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-10-06 17:26:30 UTC
This issue was resolved and addressed in
 GLSA 201610-02 at
by GLSA coordinator Kristian Fiskerstrand (K_F).