[Announce] Security advisory: Recently discovered HTTP2 handling issue impacts Qt
List for announcements regarding Qt releases and development
announce at qt-project.org
Wed Jul 17 11:00:18 CEST 2024
Whenever a TLS connection is started for a server that supports HTTP2 and has sent some data to the application then Qt will send data to the server even if the TLS certificate does not match the address it has been redirected too. This has been assigned the CVE id CVE-2024-39936.
This is known to affect all versions of Qt that have support for HTTP2. In earlier versions, this was defaulted to be off, but could be turned on with the relevant attribute.
Solution: As a workaround, the support can be turned off by calling:
setAttribute(QNetworkRequest::Http2AllowedAttribute, false);
on the QNetworkRequest used to start the initial request.
Alternatively update to Qt 6.8.0, Qt 6.7.3, Qt 6.5.7, Qt 6.2.13 or Qt 5.15.18.
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/571601
Qt 6.7: https://codereview.qt-project.org/c/qt/qtbase/+/574323 or https://download.qt.io/official_releases/qt/6.7/CVE-2024-39936-qtbase-6.7.patch
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/574426 or https://download.qt.io/official_releases/qt/6.5/CVE-2024-39936-qtbase-6.5.patch
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575684 or https://download.qt.io/archive/qt/6.2/CVE-2024-39936-qtbase-6.2.patch
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575980 or https://download.qt.io/archive/qt/5.15/CVE-2024-39936-qtbase-5.15.patch
Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success
The Qt Company
More information about the Announce
mailing list