apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time

Debian Bug report logs - #920303
apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time

Date: Wed, 23 Jan 2019 21:32:56 +0100

Source: apache2
Version: 2.4.37-1
Severity: important
Tags: security upstream fixed-upstream
Control: found -1 2.4.25-3+deb9u6
Control: found -1 2.4.25-3

Hi,

The following vulnerability was published for apache2.

CVE-2018-17199[0]:
mod_session_cookie does not respect expiry time

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17199
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199
[1] https://www.openwall.com/lists/oss-security/2019/01/22/3

Regards,
Salvatore

Message #14 received at 920303-close@bugs.debian.org (full text, mbox, reply):

From: Xavier Guimard <yadd@debian.org>

To: 920303-close@bugs.debian.org

Subject: Bug#920303: fixed in apache2 2.4.38-1

Date: Tue, 29 Jan 2019 23:19:31 +0000

Source: apache2
Source-Version: 2.4.38-1

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Jan 2019 23:49:49 +0100
Source: apache2
Binary: apache2 apache2-bin apache2-bin-dbgsym apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-suexec-custom apache2-suexec-custom-dbgsym apache2-suexec-pristine apache2-suexec-pristine-dbgsym apache2-utils apache2-utils-dbgsym libapache2-mod-md libapache2-mod-proxy-uwsgi
Architecture: source
Version: 2.4.38-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 880993 920220 920302 920303
Description: 
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
 libapache2-mod-md - transitional package
 libapache2-mod-proxy-uwsgi - transitional package
Changes:
 apache2 (2.4.38-1) unstable; urgency=medium
 .
   [ Jelmer Vernooij ]
   * Reverted for now: Transition to automatic debug package (from: apache2-dbg)
   * Trim trailing whitespace
   * Use secure copyright file specification URI
 .
   [ Niels Thykier ]
   * Add Rules-Requires-Root: binary-targets
 .
   [ Xavier Guimard ]
   * Convert signing-key.pgp into signing-key.asc
   * Add http2.conf (Closes: #880993)
   * Remove unnecessary greater-than versioned dependency to dpkg-dev,
     libbrotli-dev and libapache2-mod-md
   * Declare compliance with policy 4.2.1
   * Add spelling errors patch (reported)
   * Fix some spelling errors in debian files
   * Add myself to uploaders
   * Refresh patches
   * Bump debhelper compatibility level to 10
   * debian/rules:
     - Remove unnecessary dh argument --parallel
     - use /usr/share/dpkg/pkg-info.mk instead of dpkg-parsechangelog
   * Add upstream/metadata
   * Replace MIT by Expat in debian/copyright
   * debian/watch: use https url
   * Add documentation links in systemd service files
   * Team upload
 .
   [ Cyrille Bollu ]
   * Put HTTP2 configuration within <IfModule !mpm_prefork></IfModule> tags as
     it gets automatically de-activated upon apache 'startup when using
     mpm_prefork.
   * Updated http2.conf to inform user that they may want to change their
     LogFormat directives.
 .
   [ Xavier Guimard ]
   * New upstream version 2.4.38 (Closes: #920220, #920302, #920303)
   * Refresh patches
   * Remove setenvifexpr.diff patch now included in upstream
   * Replace libapache2-mod-proxy-uwsgi.{post*,prerm} by a maintscript
   * Add a "sleep" in debian/tests/htcacheclean and skip result if "stop" failed
   * Declare compliance with policy 4.3.0
   * Fix homepage to https
   * Update debian/copyright
Checksums-Sha1: 
 46ae13d548daa63ae4a15e285d9c99edc0ad409b 3478 apache2_2.4.38-1.dsc
 6ee19a7b936a6ddbbf81b313c4a8b38bf232b40e 9187294 apache2_2.4.38.orig.tar.gz
 bb42f56e0716ca824776a6452b98b4a49956f711 488 apache2_2.4.38.orig.tar.gz.asc
 daeae57532511f16324e5dbbf6952b685287f840 1011620 apache2_2.4.38-1.debian.tar.xz
Checksums-Sha256: 
 da523e698fed6e88d6a9c351bfc5ca7a937c9cd95dd8f4795258c0ce59c8ec2d 3478 apache2_2.4.38-1.dsc
 38d0b73aa313c28065bf58faf64cec12bf7c7d5196146107df2ad07541aa26a6 9187294 apache2_2.4.38.orig.tar.gz
 4931fdd5833dc79592edd351047b9f153e3bac4323157e3f5d733d276d2a4997 488 apache2_2.4.38.orig.tar.gz.asc
 4980d2f56a5eb2d0471aea974a34c2f607d8a123032496d276540766d9af41f7 1011620 apache2_2.4.38-1.debian.tar.xz
Files: 
 1928c854cc75db06169a78be9d19c55e 3478 httpd optional apache2_2.4.38-1.dsc
 626083caac6d85a048abac6d5ea61e5b 9187294 httpd optional apache2_2.4.38.orig.tar.gz
 6933fc9cc71319ec87333b7e44b319ec 488 httpd optional apache2_2.4.38.orig.tar.gz.asc
 41fd24233e9d70d312ff3c33385ae31c 1011620 httpd optional apache2_2.4.38-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlxQ2kcACgkQ9tdMp8mZ
7um22BAAkje2GOsJIRx+1XaQQFcTbUbriPETtQ+69EeBK4Io0gb2HGkcFz0ootKc
cQu0IoqHTcypg5al2eTk8x1OH+AW5FPcbZvgMoHz3Yd/D42FxfuosNcMXVb46B+l
b+ujWZIZnBA3oSle16F94fRuR/wlPY8jjz3guVHXAVL5iiypePYKKLFoBbaay4Rq
eFaVmUPfTwSCCzyshQXeJijD+MGuykUm7NUdGJprtu1JOKZ+RZ+xM4LCzIjE1Xfa
DJa20VsJPajXyz/50m6lU3vspAy29ZL8YLCf5uHxRfwUF3PXerhrz75zf1h49vIG
d3j8W+g98n0DLxz3YCG+96sMMk8Qo82uIZnDOk6nO5/lMnHvuft5Llow8HgYD5Yn
s9/WTOaqR45gqTff0avAOwbdgMNLkaJhsvOaw8tZ9GldRhNNqqpnCQJWR+u4FQTT
uipXSwP2hZyuud0co2c/UfSKNx0r5ETRbi/EnNoNDaIPvrx1LT7WzXQgd+GV59r7
gPZHCzNrkDYajN1Fdit2r4EFj9402RSJL58j05tULGdn2kbdcBsXIuvore1plS7b
1jcWGxwVeft9ogg7PfXYyy53cJtuH31H/2ClrLMTci71mFgzrbfK6vUOO2trIpGm
zcYyUtPFbBYYq0ZgKKQZFXW8yehBHY+dZW6PyWJSQiJvQgQkWHA=
=tC4E
-----END PGP SIGNATURE-----

Message #23 received at 920303-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>

To: 920303-close@bugs.debian.org

Subject: Bug#920303: fixed in apache2 2.4.25-3+deb9u7

Date: Fri, 05 Apr 2019 05:32:09 +0000

Source: apache2
Source-Version: 2.4.25-3+deb9u7

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920303@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Apr 2019 21:05:13 +0200
Source: apache2
Binary: apache2 apache2-data apache2-bin apache2-utils apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev apache2-ssl-dev apache2-dbg
Architecture: source amd64 all
Version: 2.4.25-3+deb9u7
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
 apache2    - Apache HTTP Server
 apache2-bin - Apache HTTP Server (modules and other binary files)
 apache2-data - Apache HTTP Server (common files)
 apache2-dbg - Apache debugging symbols
 apache2-dev - Apache HTTP Server (development headers)
 apache2-doc - Apache HTTP Server (on-site documentation)
 apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
 apache2-suexec-custom - Apache HTTP Server configurable suexec program for mod_suexec
 apache2-suexec-pristine - Apache HTTP Server standard suexec program for mod_suexec
 apache2-utils - Apache HTTP Server (utility programs for web servers)
Closes: 904150 915103 920302 920303
Changes:
 apache2 (2.4.25-3+deb9u7) stretch-security; urgency=medium
 .
   [ Xavier Guimard ]
   * CVE-2018-17199: mode_session: Fix missing check for session expiry time.
     Closes: #920303
 .
   [ Stefan Fritsch ]
   * mod_http2: Fix keepalive timeout behavior. This fixes a regression with
     Safari web browsers, introduced in 2.4.25-3+deb9u6. Closes: #915103
   * Fix typo in apache2_switch_mpm() in apache2-maintscript-helper.
     Closes: #904150
   * CVE-2018-17189: mod_http2: Fix DoS via slow, unneeded request bodies.
     Closes: #920302
   * CVE-2019-0196: mod_http2: Fix read after free
   * CVE-2019-0211: All MPMs: privilege escalation from www-data user to root.
   * CVE-2019-0217: mod_auth_digest: Access control bypass
   * CVE-2019-0220: URL normalization inconsistincy.
     Consecutive slashes in URL's are now merged before use in LocationMatch
     and RewriteRule. The old behavior can be restored with the new directive
     "MergeSlashes off".
Checksums-Sha1:
 ad40893da9251264e64dd34b862d4ac6ac0b1b64 2986 apache2_2.4.25-3+deb9u7.dsc
 0eafb26fd945d2c39e54e54b8dd7616428984b56 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz
 1cf9ffe32d5e58e3d0cda2cb9c0798257e1948ed 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb
 abebbface5e521553163d3a962c0705577f3a169 162062 apache2-data_2.4.25-3+deb9u7_all.deb
 8869d0ea4b289825bb2fbb606faa6ba9cda8d007 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb
 f12e86b88c1a9c39632dd68e9448b5c90166d069 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb
 d999ab5602672930da5ec5e29f5f813636231b7e 3771360 apache2-doc_2.4.25-3+deb9u7_all.deb
 3e79e228fe28a466cfdb85d8400d3efd43264cff 2264 apache2-ssl-dev_2.4.25-3+deb9u7_amd64.deb
 ad49bfd135e52a3ab5f46aba4df4bd794a0906b0 155638 apache2-suexec-custom_2.4.25-3+deb9u7_amd64.deb
 013621fbbf0f16cbd152ef6902db5007f81004f1 154170 apache2-suexec-pristine_2.4.25-3+deb9u7_amd64.deb
 d5c726c6bbdb0a21154c79bbd2ed4bcdfb3a862d 217540 apache2-utils_2.4.25-3+deb9u7_amd64.deb
 b235276590e36f9519852bffb566be378265dc1f 10198 apache2_2.4.25-3+deb9u7_amd64.buildinfo
 d498c77f912427a041d6d10cb4833beea8fb9808 236346 apache2_2.4.25-3+deb9u7_amd64.deb
Checksums-Sha256:
 3e53a393d39bd3ae33f5c3864993939e15805ff58508392880b1fcb3d0783e5c 2986 apache2_2.4.25-3+deb9u7.dsc
 5c7855b18289bbdabce4ca5d4053f6dbd657f48b211a180503bf509a9dcc37d9 795236 apache2_2.4.25-3+deb9u7.debian.tar.xz
 5a47bb7406082dfffc5a3ad4f31e617ef44ee130c3d645b5598cda29bccc91d8 1187486 apache2-bin_2.4.25-3+deb9u7_amd64.deb
 9d3b0c2e0ebbe2ee5ec66216af242c54d724dc39d30c4ffb36a6de4d3d66174e 162062 apache2-data_2.4.25-3+deb9u7_all.deb
 5f7c3e07260c66ecc40fb9b605dfe6c09b5a003c04fa5fd967bf2b81f212cac7 4019618 apache2-dbg_2.4.25-3+deb9u7_amd64.deb
 4b8a0b283eed897922438f2ea8578661f30e7b5904a27dac1d43107c65b40e25 314496 apache2-dev_2.4.25-3+deb9u7_amd64.deb
 9c2e63a7111e84fc87e3d286ba646ff2a02b8ae10e5f7b6677a26dbb88d88e12 3771360 apache2-doc_2.4.25-3+deb9u7_all.deb
 761551e0b3e9a591fe22865f99b4e2129770c61e0ec2c15968f2c19983347232 2264 apache2-ssl-dev_2.4.25-3+deb9u7_amd64.deb
 c5a577e3310e0226823f49890117dd3a0497b4119c7fa565dc97985b42ced5f1 155638 apache2-suexec-custom_2.4.25-3+deb9u7_amd64.deb
 ed9e2be51892e98d65317d7e92c04d06431485ca5195abc702623e35f00cf00e 154170 apache2-suexec-pristine_2.4.25-3+deb9u7_amd64.deb
 9dca93d4cbebb04897406b509885d1c70b75109a925df3487ba8104a9c503e5c 217540 apache2-utils_2.4.25-3+deb9u7_amd64.deb
 ef506a0d3a96f58e494aa3d0f344b9b649888d86459d55c21a41adde664b7118 10198 apache2_2.4.25-3+deb9u7_amd64.buildinfo
 91d5fad810506aa57bbcbeb304a7ff8fd8052f26824a07364e05cc174064a00f 236346 apache2_2.4.25-3+deb9u7_amd64.deb
Files:
 92815523f438bf530348f0d091f6fd5a 2986 httpd optional apache2_2.4.25-3+deb9u7.dsc
 b47f809e70849281eb15a75b0da617f9 795236 httpd optional apache2_2.4.25-3+deb9u7.debian.tar.xz
 0e693e7814e561e859d87d6ed2ad71c1 1187486 httpd optional apache2-bin_2.4.25-3+deb9u7_amd64.deb
 1125e677a9b784669cac81a697fe0642 162062 httpd optional apache2-data_2.4.25-3+deb9u7_all.deb
 952505aa0026e70e1ebf4fa60c456f7c 4019618 debug extra apache2-dbg_2.4.25-3+deb9u7_amd64.deb
 2c29573b043a8db77723eb3b447848d8 314496 httpd optional apache2-dev_2.4.25-3+deb9u7_amd64.deb
 3799f98ca0f27bf7c6ba3735fae6f6f5 3771360 doc optional apache2-doc_2.4.25-3+deb9u7_all.deb
 a2ce439700817df3da3362105fb2ceb6 2264 httpd optional apache2-ssl-dev_2.4.25-3+deb9u7_amd64.deb
 a8961862b848070a088fbeba39ed9e4c 155638 httpd extra apache2-suexec-custom_2.4.25-3+deb9u7_amd64.deb
 c30a0af32ace92be3cbc1b205edc715f 154170 httpd optional apache2-suexec-pristine_2.4.25-3+deb9u7_amd64.deb
 19e642b945fbae6f71c1e81f1d0fa4f7 217540 httpd optional apache2-utils_2.4.25-3+deb9u7_amd64.deb
 0afb9bb4cbe329b4b764831b367f9d4d 10198 httpd optional apache2_2.4.25-3+deb9u7_amd64.buildinfo
 6415829488ac482552d8549500197d7e 236346 httpd optional apache2_2.4.25-3+deb9u7_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlyjuOsACgkQxodfNUHO
/eAzCw//Zp4V5giSG9LwFnaJePelb+tzpEzLFoFyYPx5FK2af7yXVi53a8UvJ1AR
ECIMlCMyaltLut5kTgpRreVBTKTh4kZU2H5fOLbiFhsEYvnMWrm/xalp8vFIBcLN
RLzJ7gIBVloOkvdb43CzmV61i022ROigzmGrfVab0D0vXSChMz5IoNZbn6kDQvrj
Z4Sxi+3XS3K9KVYrM7NjGilc6/L6P4pDUNTV/kLzcdWGVplm1HlvY3sNfDYYZ6xu
nLdrJYhfuUcNwJnbUkq3JACvkWH5sq+grcOdGLhAMo+jPQFO2QuvmU9qBW0WVu4S
f5UdQeH/rPuTZykiaimaKHe4zUPG0zc0X0kr0y+UXL3Xw6V1mrkthUsGTuwUPXSv
kUxlFWy6rcaGgiAntw3hgj7ZKXUECSxRqJTlitvv+tWSlYkTGz8lGxyViYqDSLeb
lSHluS7SxXQtpGVPaFL6hULM1gQhjEoZMRP2K9SxZ3D9lZflQBpx7vKNyDobSlWX
iceDPqQn7I9gQzfVFsISTqCKl8p04XAM8LbKhPqw5RqyHfiGDllLynm4PBKZK0qR
Hcvo+AkjmsuljH57ToATdLy3PolhrDS1Wuj9g4JoUcbsvyUmBM5NAfIMuVbeREo5
YW2uP678f+cHtCiTiAfqfNRDpffEy+P/IzGCo3TCSYi25qGMv84=
=KF5H
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.