The qt security tag covers discussions about vulnerabilities and security issues in the Qt framework, particularly those affecting Windows systems. Recent content highlights CVE-2024-39936, a timing bug in Qt's HTTP/2 handling that can cause TLS redirects to leak data due to a race condition in connection establishment. This tag is relevant for developers and IT professionals using Qt on Windows who need to understand security patches, timing attacks, and best practices for secure HTTP/2 implementation. Topics include TLS handshake delays, TOCTOU vulnerabilities, and mitigations for Qt-based applications.
-
Qt's HTTP/2 handling bug tracked as CVE-2024-39936 lets code make security-relevant decisions before a TLS session has been confirmed, creating a timing gap that can leak confidential data to the wrong endpoint when HTTP/2 and redirects are involved.
Background
In early July 2024 a...