Bug 1122839 - (CVE-2018-17199) VUL-1: CVE-2018-17199: apache2: mod_session_cookie does not respect expiry time
(CVE-2018-17199)
VUL-1: CVE-2018-17199: apache2: mod_session_cookie does not respect expiry time
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/223571/
CVSSv3:RedHat:CVE-2018-17199:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-01-23 07:01 UTC by Marcus Meissner
Modified: 2021-01-12 12:15 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-01-23 07:01:43 UTC
via oss-sec

CVE-2018-17199: mod_session_cookie does not respect expiry time

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.37

Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for
mod_session_cookie sessions since the expiry time is loaded
when the session is decoded.

Mitigation:
All httpd users deploying mod_session should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Diego Angulo from ImExHS.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Petr Gajdos 2019-01-24 08:42:15 UTC
I think
http://svn.apache.org/viewvc?view=revision&revision=1851409
Comment 2 Petr Gajdos 2019-01-24 09:06:08 UTC
Which code streams holding 2.4 are currently supported?
Comment 4 Petr Gajdos 2019-01-24 10:02:53 UTC
Will submit for 15,12sp2,12sp1,12/apache2.
Comment 5 Petr Gajdos 2019-01-24 10:05:24 UTC
Packages submitted. I believe all fixed.
Comment 7 Swamp Workflow Management 2019-02-26 20:13:11 UTC
SUSE-SU-2019:0498-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12-SP4 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12-SP3 (src):    apache2-2.4.23-29.34.4
Comment 8 Swamp Workflow Management 2019-02-27 11:13:00 UTC
SUSE-SU-2019:0504-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.9.7
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    apache2-2.4.33-3.9.7
Comment 9 Swamp Workflow Management 2019-03-06 20:12:35 UTC
openSUSE-SU-2019:0296-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.9.1
Comment 10 Swamp Workflow Management 2019-03-08 14:11:08 UTC
openSUSE-SU-2019:0305-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-37.1
Comment 12 Swamp Workflow Management 2019-04-05 10:13:52 UTC
SUSE-SU-2019:0888-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1122839,1131239,1131241
CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    apache2-2.4.16-20.24.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-04-05 10:15:49 UTC
SUSE-SU-2019:0889-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1122839,1131239,1131241
CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    apache2-2.4.10-14.36.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 14 Marcus Meissner 2019-07-18 07:05:30 UTC
done