Apache needs HTTP/2 patch

Apache has patched a serious authentication bug that affected sysadmins using HTTP/2 – it wasn't checking X509 client certificates properly.

The client certificates are typically used when the system is secured by chip-card tokens, or software-generated tokens.

The bug affects versions 2.4.18 to 2.4.20 and is patched in HTTPD 2.4.23. If you don't have time to upgrade, the advisory at Full Disclosure includes a workaround by disabling HTTP/2.

As the advisory states, “the server failed to take the (failed/absent) client certificate validation into account when providing access to a resource over HTTP/2”.

If the sysadmin had loaded and activated the mod_http2 module and the browser used HTTP/2, a resource supposed to be secured by a client certificate was accessible without authentication.

The advisory credits discovery of the bug to Erki Aring of Liewenthal Electronics, and the same-day bug-fix was written by Stefan Eissing. ®