Security advisory: Recently discovered HTTP2 handling issue impacts Qt

Whenever a TLS connection is started for a server that supports HTTP2 and has sent some data to the application then Qt will send data to the server even if the TLS certificate does not match the address it has been redirected too. This has been assigned the CVE id CVE-2024-39936.

This is known to affect all versions of Qt that have support for HTTP2. In earlier versions, this was defaulted to be off, but could be turned on with the relevant attribute.

Solution: As a workaround, the support can be turned off by calling:

setAttribute(QNetworkRequest::Http2AllowedAttribute, false);

on the QNetworkRequest used to start the initial request.

Alternatively update to Qt 6.8.0, Qt 6.7.3, Qt 6.5.7, Qt 6.2.13 or Qt 5.15.18.

Patches:

dev: <https://codereview.qt-project.org/c/qt/qtbase/+/571601&gt;
Qt 6.7 and Qt 6.6: <https://codereview.qt-project.org/c/qt/qtbase/+/574323&gt; or <https://download.qt.io/official_releases/qt/6.7/CVE-2024-39936-qtbase-6.7.patch&gt;
Qt 6.5: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/574426&gt; or <https://download.qt.io/official_releases/qt/6.5/CVE-2024-39936-qtbase-6.5.patch&gt;
Qt 6.2: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575684&gt; or <https://download.qt.io/archive/qt/6.2/CVE-2024-39936-qtbase-6.2.patch&gt;
Qt 5.15: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/575980&gt; or <https://download.qt.io/archive/qt/5.15/CVE-2024-39936-qtbase-5.15.patch&gt;