Whenever a TLS connection is started for a server that supports HTTP2 and has sent some data to the application then Qt will send data to the server even if the TLS certificate does not match the address it has been redirected too. This has been assigned the CVE id CVE-2024-39936.
This is known to affect all versions of Qt that have support for HTTP2. In earlier versions, this was defaulted to be off, but could be turned on with the relevant attribute. Solution: As a workaround, the support can be turned off by calling: setAttribute(QNetworkRequest::Http2AllowedAttribute, false); on the QNetworkRequest used to start the initial request. Alternatively update to Qt 6.8.0, Qt 6.7.3, Qt 6.5.7, Qt 6.2.13 or Qt 5.15.18. Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/571601 Qt 6.7: https://codereview.qt-project.org/c/qt/qtbase/+/574323 or https://download.qt.io/official_releases/qt/6.7/CVE-2024-39936-qtbase-6.7.patch Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/574426 or https://download.qt.io/official_releases/qt/6.5/CVE-2024-39936-qtbase-6.5.patch Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575684 or https://download.qt.io/archive/qt/6.2/CVE-2024-39936-qtbase-6.2.patch Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575980 or https://download.qt.io/archive/qt/5.15/CVE-2024-39936-qtbase-5.15.patch Kind regards, Andy -- Andy Shaw Director, Technical Customer Success The Qt Company _______________________________________________ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
