Bug#920303: marked as done (apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 29 Jan 2019 23:19:31 +0000
with message-id <E1gocfD-0009H3-HQ@fasolo.debian.org>
and subject line Bug#920303: fixed in apache2 2.4.38-1
has caused the Debian Bug report #920303,
regarding apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 23 Jan 2019 21:32:56 +0100
• Message-id: <[🔎] 154827557657.24642.522223034158520162.reportbug@eldamar.local>

Source: apache2
Version: 2.4.37-1
Severity: important
Tags: security upstream fixed-upstream
Control: found -1 2.4.25-3+deb9u6
Control: found -1 2.4.25-3

Hi,

The following vulnerability was published for apache2.

CVE-2018-17199[0]:
mod_session_cookie does not respect expiry time

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199
[1] https://www.openwall.com/lists/oss-security/2019/01/22/3

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 920303-close@bugs.debian.org
• Subject: Bug#920303: fixed in apache2 2.4.38-1
• From: Xavier Guimard <yadd@debian.org>
• Date: Tue, 29 Jan 2019 23:19:31 +0000
• Message-id: <E1gocfD-0009H3-HQ@fasolo.debian.org>

Source: apache2
Source-Version: 2.4.38-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Jan 2019 23:49:49 +0100
Source: apache2
Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source
Version: 2.4.38-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 880993 920220 920302 920303
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Changes:
 apache2 (2.4.38-1) unstable; urgency=medium
 .
   [ Jelmer Vernooij ]
   * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
   * Trim trailing whitespace
   * Use secure copyright file specification URI
 .
   [ Niels Thykier ]
   * Add Rules-Requires-Root: binary-targets
 .
   [ Xavier Guimard ]
   * Convert signing-key.pgp into signing-key.asc
   * Add http2.conf (Closes: #880993)
   * Remove unnecessary greater-than versioned dependency to dpkg-dev,
     libbrotli-dev and libapache2-mod-md
   * Declare compliance with policy 4.2.1
   * Add spelling errors patch (reported)
   * Fix some spelling errors in debian files
   * Add myself to uploaders
   * Refresh patches
   * Bump debhelper compatibility level to 10
   * debian/rules:
     - Remove unnecessary dh argument --parallel
     - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
   * Add upstream/metadata
   * Replace MIT by Expat in debian/copyright
   * debian/watch: use https url
   * Add documentation links in systemd service files
   * Team upload
 .
   [ Cyrille Bollu ]
   * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
     it gets automatically de-activated upon apache 'startup when using
     mpm_prefork.
   * Updated http2.conf to inform user that they may want to change their
     LogFormat directives.
 .
   [ Xavier Guimard ]
   * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
   * Refresh patches
   * Remove setenvifexpr.diff patch now included in upstream
   * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
   * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
   * Declare compliance with policy 4.3.0
   * Fix homepage to https
   * Update debian/copyright
Checksums-Sha1: 
 46ae13d548daa63ae4a15e285d9c99edc0ad409b 3478 apache2_2.4.38-1.dsc
 6ee19a7b936a6ddbbf81b313c4a8b38bf232b40e 9187294 apache2_2.4.38.orig.tar.gz
 bb42f56e0716ca824776a6452b98b4a49956f711 488 apache2_2.4.38.orig.tar.gz.asc
 daeae57532511f16324e5dbbf6952b685287f840 1011620 apache2_2.4.38-1.debian.tar.xz
Checksums-Sha256: 
 da523e698fed6e88d6a9c351bfc5ca7a937c9cd95dd8f4795258c0ce59c8ec2d 3478 apache2_2.4.38-1.dsc
 38d0b73aa313c28065bf58faf64cec12bf7c7d5196146107df2ad07541aa26a6 9187294 apache2_2.4.38.orig.tar.gz
 4931fdd5833dc79592edd351047b9f153e3bac4323157e3f5d733d276d2a4997 488 apache2_2.4.38.orig.tar.gz.asc
 4980d2f56a5eb2d0471aea974a34c2f607d8a123032496d276540766d9af41f7 1011620 apache2_2.4.38-1.debian.tar.xz
Files: 
 1928c854cc75db06169a78be9d19c55e 3478 httpd optional apache2_2.4.38-1.dsc
 626083caac6d85a048abac6d5ea61e5b 9187294 httpd optional apache2_2.4.38.orig.tar.gz
 6933fc9cc71319ec87333b7e44b319ec 488 httpd optional apache2_2.4.38.orig.tar.gz.asc
 41fd24233e9d70d312ff3c33385ae31c 1011620 httpd optional apache2_2.4.38-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlxQ2kcACgkQ9tdMp8mZ
7um22BAAkje2GOsJIRx+1XaQQFcTbUbriPETtQ+69EeBK4Io0gb2HGkcFz0ootKc
cQu0IoqHTcypg5al2eTk8x1OH+AW5FPcbZvgMoHz3Yd/D42FxfuosNcMXVb46B+l
b+ujWZIZnBA3oSle16F94fRuR/wlPY8jjz3guVHXAVL5iiypePYKKLFoBbaay4Rq
eFaVmUPfTwSCCzyshQXeJijD+MGuykUm7NUdGJprtu1JOKZ+RZ+xM4LCzIjE1Xfa
DJa20VsJPajXyz/50m6lU3vspAy29ZL8YLCf5uHxRfwUF3PXerhrz75zf1h29vIG
d3j8W+g98n0DLxz3YCG+96sMMk8Qo82uIZnDOk6nO5/lMnHvuft5Llow8HgYD5Yn
s9/WTOaqR45gqTff0avAOwbdgMNLkaJhsvOaw8tZ9GldRhNNqqpnCQJWR+u4FQTT
uipXSwP2hZyuud0co2c/UfSKNx0r5ETRbi/EnNoNDaIPvrx1LT7WzXQgd+GV59r7
gPZHCzNrkDYajN1Fdit2r4EFj9402RSJL58j05tULGdn2kbdcBsXIuvore1plS7b
1jcWGxwVeft9ogg7PfXYyy53cJtuH31H/2ClrLMTci71mFgzrbfK6vUOO2trIpGm
zcYyUtPFbBYYq0ZgKKQZFXW8yehBHY+dZW6PyWJSQiJvQgQkWHA=
=tC4E
-----END PGP SIGNATURE-----

--- End Message ---