Bugzilla – Bug 1122839
VUL-1: CVE-2018-17199: apache2: mod_session_cookie does not respect expiry time
Last modified: 2021-01-12 12:15:26 UTC
via oss-sec CVE-2018-17199: mod_session_cookie does not respect expiry time Severity: low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.0 to 2.4.37 Description: In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. Mitigation: All httpd users deploying mod_session should upgrade to 2.4.38 or later. Credit: The issue was discovered by Diego Angulo from ImExHS. References: https://httpd.apache.org/security/vulnerabilities_24.html
I think http://svn.apache.org/viewvc?view=revision&revision=1851409
Which code streams holding 2.4 are currently supported?
Will submit for 15,12sp2,12sp1,12/apache2.
Packages submitted. I believe all fixed.
SUSE-SU-2019:0498-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1121086,1122838,1122839 CVE References: CVE-2018-17189,CVE-2018-17199 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): apache2-2.4.23-29.34.4 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): apache2-2.4.23-29.34.4 SUSE Linux Enterprise Server 12-SP4 (src): apache2-2.4.23-29.34.4 SUSE Linux Enterprise Server 12-SP3 (src): apache2-2.4.23-29.34.4
SUSE-SU-2019:0504-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1121086,1122838,1122839 CVE References: CVE-2018-17189,CVE-2018-17199 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): apache2-2.4.33-3.9.7 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): apache2-2.4.33-3.9.7
openSUSE-SU-2019:0296-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1121086,1122838,1122839 CVE References: CVE-2018-17189,CVE-2018-17199 Sources used: openSUSE Leap 15.0 (src): apache2-2.4.33-lp150.2.9.1
openSUSE-SU-2019:0305-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1121086,1122838,1122839 CVE References: CVE-2018-17189,CVE-2018-17199 Sources used: openSUSE Leap 42.3 (src): apache2-2.4.23-37.1
SUSE-SU-2019:0888-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1122839,1131239,1131241 CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220 Sources used: SUSE Linux Enterprise Server 12-SP1-LTSS (src): apache2-2.4.16-20.24.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:0889-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1122839,1131239,1131241 CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): apache2-2.4.10-14.36.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
done