The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
http://httpd.apache.org/security/vulnerabilities_24.html
http://www.apache.org/dist/httpd/CHANGES_2.4
https://github.com/apache/httpd/commit/cd2b7a26c776b0754fb98426a67804fd48118708
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
https://support.apple.com/kb/HT205031
http://www.ubuntu.com/usn/USN-2686-1
https://support.apple.com/HT205217
http://lists.apple.com/archives/security-announce/2015/Sep/msg00004.html
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
https://support.apple.com/HT205219
http://www.securityfocus.com/bid/75965
http://lists.opensuse.org/opensuse-updates/2015-10/msg00011.html
http://www.debian.org/security/2015/dsa-3325
http://rhn.redhat.com/errata/RHSA-2015-1667.html
http://www.securitytracker.com/id/1032967
https://access.redhat.com/errata/RHSA-2017:2710
https://access.redhat.com/errata/RHSA-2017:2709
https://access.redhat.com/errata/RHSA-2017:2708
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://rhn.redhat.com/errata/RHSA-2015-1666.html
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://github.com/apache/httpd/commit/db81019ab88734ed35fa70294a0cfa7a19743f73
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E