[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#920303: marked as done (apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time)



Your message dated Fri, 05 Apr 2019 05:32:09 +0000
with message-id <E1hCHST-000B0G-0Q@fasolo.debian.org>
and subject line Bug#920303: fixed in apache2 2.4.25-3+deb9u7
has caused the Debian Bug report #920303,
regarding apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
920303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: apache2
Version: 2.4.37-1
Severity: important
Tags: security upstream fixed-upstream
Control: found -1 2.4.25-3+deb9u6
Control: found -1 2.4.25-3

Hi,

The following vulnerability was published for apache2.

CVE-2018-17199[0]:
mod_session_cookie does not respect expiry time

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199
[1] https://www.openwall.com/lists/oss-security/2019/01/22/3

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.25-3+deb9u7

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Apr 2019 21:05:13 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.25-3+deb9u7
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 904150 915103 920302 920303
Changes:
 apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium
 .
   [ Xavier Guimard ]
   * CVE-2018-17199: mode_session: Fix missing check for session expiry time.
     Closes: #920303
 .
   [ Stefan Fritsch ]
   * mod_http2: Fix keepalive timeout behavior. This fixes a regression with
     Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
   * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
     Closes: #904150
   * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
     Closes: #920302
   * CVE-2019-0196: mod_http2: Fix read after free
   * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
   * CVE-2019-0217: mod_auth_digest: Access control bypass
   * CVE-2019-0220: URL normalization inconsistincy.
     Consecutive slashes in URL's are now merged before use in LocationMatch
     and RewriteRule. The old behavior can be restored with the new directive
     "MergeSlashes off".
Checksums-Sha1:
 ad40893da9251264e64dd34b862d4ac6ac0b1b64 2986 apache2_2.4.25-3+deb9u7.dsc
 0eafb26fd945d2c39e54e54b8dd7616428984b56 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz
 1cf9ffe32d5e58e3d0cda2cb9c0798257e1948ed 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb
 abebbface5e521553163d3a962c0705577f3a169 162062 apache2-data_2.4.25-3+deb9u7_all.deb
 8869d0ea4b289825bb2fbb606faa6ba9cda8d007 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb
 f12e86b88c1a9c39632dd68e9448b5c90166d069 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb
 d999ab5602672930da5ec5e29f5f813636231b7e 3771360 apache2-doc_2.4.25-3+deb9u7_all.deb
 3e79e228fe28a466cfdb85d8400d3efd43264cff 2264 apache2-ssl-dev_2.4.25-3+deb9u7_amd64.deb
 ad49bfd135e52a3ab5f46aba4df4bd794a0906b0 155638 apache2-suexec-custom_2.4.25-3+deb9u7_amd64.deb
 013621fbbf0f16cbd152ef6902db5007f81004f1 154170 apache2-suexec-pristine_2.4.25-3+deb9u7_amd64.deb
 d5c726c6bbdb0a21154c79bbd2ed4bcdfb3a862d 217540 apache2-utils_2.4.25-3+deb9u7_amd64.deb
 b235276590e36f9519852bffb566be378265dc1f 10198 apache2_2.4.25-3+deb9u7_amd64.buildinfo
 d498c77f912427a041d6d10cb4833beea8fb9808 236346 apache2_2.4.25-3+deb9u7_amd64.deb
Checksums-Sha256:
 3e53a393d39bd3ae33f5c3864993939e15805ff58508392880b1fcb3d0783e5c 2986 apache2_2.4.25-3+deb9u7.dsc
 5c7855b18289bbdabce4ca5d4053f6dbd657f48b211a180503bf509a9dcc37d9 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz
 5a47bb7406082dfffc5a3ad4f31e617ef44ee130c3d645b5598cda29bccc91d8 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb
 9d3b0c2e0ebbe2ee5ec66216af242c54d724dc39d30c4ffb36a6de4d3d66174e 162062 apache2-data_2.4.25-3+deb9u7_all.deb
 5f7c3e07260c66ecc40fb9b605dfe6c09b5a003c04fa5fd967bf2b81f212cac7 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb
 4b8a0b283eed897922438f2ea8578661f30e7b5904a27dac1d43107c65b40e25 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb
 9c2e63a7111e84fc87e3d286ba646ff2a02b8ae10e5f7b6677a26dbb88d88e12 3771360 apache2-doc_2.4.25-3+deb9u7_all.deb
 761551e0b3e9a591fe22865f99b4e2129770c61e0ec2c15968f2c19983347232 2264 apache2-ssl-dev_2.4.25-3+deb9u7_amd64.deb
 c5a577e3310e0226823f49890117dd3a0497b4119c7fa565dc97985b42ced5f1 155638 apache2-suexec-custom_2.4.25-3+deb9u7_amd64.deb
 ed9e2be51892e98d65317d7e92c04d06431485ca5195abc702623e35f00cf00e 154170 apache2-suexec-pristine_2.4.25-3+deb9u7_amd64.deb
 9dca93d4cbebb04897406b509885d1c70b75109a925df3487ba8104a9c503e5c 217540 apache2-utils_2.4.25-3+deb9u7_amd64.deb
 ef506a0d3a96f58e494aa3d0f344b9b649888d86459d55c21a41adde664b7118 10198 apache2_2.4.25-3+deb9u7_amd64.buildinfo
 91d5fad810506aa57bbcbeb304a7ff8fd8052f26824a07364e05cc174064a00f 236346 apache2_2.4.25-3+deb9u7_amd64.deb
Files:
 92815523f438bf530348f0d091f6fd5a 2986 httpd optional apache2_2.4.25-3+deb9u7.dsc
 b47f809e70849281eb15a75b0da617f9 795236 httpd optional apache2_2.4.25-3+deb9u7.debian.tar.xz
 0e693e7814e561e859d87d6ed2ad71c1 1187486 httpd optional apache2-bin_2.4.25-3+deb9u7_amd64.deb
 1125e677a9b784669cac81a697fe0642 162062 httpd optional apache2-data_2.4.25-3+deb9u7_all.deb
 952505aa0026e70e1ebf4fa60c456f7c 4019618 debug extra apache2-dbg_2.4.25-3+deb9u7_amd64.deb
 2c29573b043a8db77723eb3b447848d8 314496 httpd optional apache2-dev_2.4.25-3+deb9u7_amd64.deb
 3799f98ca0f27bf7c6ba3735fae6f6f5 3771360 doc optional apache2-doc_2.4.25-3+deb9u7_all.deb
 a2ce439700817df3da3362105fb2ceb6 2264 httpd optional apache2-ssl-dev_2.4.25-3+deb9u7_amd64.deb
 a8961862b848070a088fbeba39ed9e4c 155638 httpd extra apache2-suexec-custom_2.4.25-3+deb9u7_amd64.deb
 c30a0af32ace92be3cbc1b205edc715f 154170 httpd optional apache2-suexec-pristine_2.4.25-3+deb9u7_amd64.deb
 19e642b945fbae6f71c1e81f1d0fa4f7 217540 httpd optional apache2-utils_2.4.25-3+deb9u7_amd64.deb
 0afb9bb4cbe329b4b764831b367f9d4d 10198 httpd optional apache2_2.4.25-3+deb9u7_amd64.buildinfo
 6415829488ac482552d8549500197d7e 236346 httpd optional apache2_2.4.25-3+deb9u7_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlyjuOsACgkQxodfNUHO
/eAzCw//Zp4V5giSG9LwFnaJePelb+tzpEzLFoFyYPx5FK2af7yXVi53a8UvJ1AR
ECIMlCMyaltLut5kTgpRreVBTKTh2kZU2H5fOLbiFhsEYvnMWrm/xalp8vFIBcLN
RLzJ7gIBVloOkvdb43CzmV61i022ROigzmGrfVab0D0vXSChMz5IoNZbn6kDQvrj
Z4Sxi+3XS3K9KVYrM7NjGilc6/L6P4pDUNTV/kLzcdWGVplm1HlvY3sNfDYYZ6xu
nLdrJYhfuUcNwJnbUkq3JACvkWH5sq+grcOdGLhAMo+jPQFO2QuvmU9qBW0WVu4S
f5UdQeH/rPuTZykiaimaKHe4zUPG0zc0X0kr0y+UXL3Xw6V1mrkthUsGTuwUPXSv
kUxlFWy6rcaGgiAntw3hgj7ZKXUECSxRqJTlitvv+tWSlYkTGz8lGxyViYqDSLeb
lSHluS7SxXQtpGVPaFL6hULM1gQhjEoZMRP2K9SxZ3D9lZflQBpx7vKNyDobSlWX
iceDPqQn7I9gQzfVFsISTqCKl8p04XAM8LbKhPqw5RqyHfiGDllLynm4PBKZK0qR
Hcvo+AkjmsuljH57ToATdLy3PolhrDS1Wuj9g4JoUcbsvyUmBM5NAfIMuVbeREo5
YW2uP678f+cHtCiTiAfqfNRDpffEy+P/IzGCo3TCSYi25qGMv84=
=KF5H
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: