The http2 bug tag covers discussions about a timing vulnerability in Qt's HTTP/2 implementation, tracked as CVE-2024-39936. This bug creates a race condition where code can make security-relevant decisions before a TLS session is fully confirmed, potentially leaking confidential data to the wrong endpoint during HTTP/2 redirects. The issue is not a cryptographic flaw but a timing gap in connection establishment. Threads under this tag focus on the technical details of the vulnerability, its impact on TLS redirects, and mitigation strategies for developers using Qt.
-
Qt's HTTP/2 handling bug tracked as CVE-2024-39936 lets code make security-relevant decisions before a TLS session has been confirmed, creating a timing gap that can leak confidential data to the wrong endpoint when HTTP/2 and redirects are involved.
Background
In early July 2024 a...