|
|
Subscribe / Log in / New account

httpd: authentication bypass

Package(s):httpd CVE #(s):CVE-2016-4979
Created:July 12, 2016 Updated:July 18, 2016
Description: From the CVE entry:

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

Alerts:
Gentoo 201610-02 apache 2016-10-06
Red Hat RHSA-2016:1420-01 httpd24-httpd 2016-07-18
Fedora FEDORA-2016-e256a03791 httpd 2016-07-15
Fedora FEDORA-2016-c7288a5b36 httpd 2016-07-12
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds