Debian alert DLA-1647-1 (apache2)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1647-1] apache2 security update | |
| Date: | Tue, 29 Jan 2019 22:28:38 +0100 (CET) | |
| Message-ID: | <alpine.DEB.2.20.1901292223180.2305@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : apache2 Version : 2.4.10-10+deb8u13 CVE ID : CVE-2018-17199 Diego Angulo from ImExHS discovered an issue in the webserver apache2. The module mod_session ignored the expiry time of sessions handled by mod_session_cookie, because the expiry time is available only after decoding the session and the check was already done before. For Debian 8 "Jessie", this problem has been fixed in version 2.4.10-10+deb8u13. We recommend that you upgrade your apache2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlxQxYZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdARxAAxc1H4D8XBkuYMVffSCGfvb/FdPR+HU6dhFyN3vmeVkzdYIPH6CdiXEoH Y5izHzpBAubD5aEs4V/1kyZQ7+1lXB35ycy/kGw9Do7T0WWvmRzKAoZSeTbImslf COzcsuP7VUcGW/nOBFTXsXbR+O+MV2GbIw8C2+U3vwMIynPFwjuvBtrLg/Q1LIWZ mpy96J4cvQ4wX60DG43FHsJUZ0CsClpHEqJ/3JsZPx6nH/7uSttOsoblLoXlmD5k ab+u9I5jxjIoclegL4FEh1rZLLOmCgZar+dvTelulSJZBjLgJVn5VNwsPSk3+CbU /ZFJVHu5KSQm3D9+PU4fU4ha1c2IkT80jnIAOWcoM09yCwPPDFvhAyg0s9BEjgNL I7lz1LiOV6xRNQu6MFXszpcvE1jZ33YOikjhM6TSejb0wRn+Pm8BL1Q/12m3W5qt bN1ar9NigbZRcUdnT6dBeuWmc+mVNeHtZWa/u/1zMMY6sulvkm2tI8/1Qcy3oTIW GYMj91hQxwPCYNj7uI0JTg4A9kcAPoxbHZd+yy7Q6lGcDh6U2uwbfN6n2B7CTGuN Ffx9b97VWxzz70xK+U6wR4LMKvJctAnQPkLtme9HkHjDnC9nRqD9BKpuqqlF2Dkx KCmp58zSV3ZjaAgJqRrYHLaa9p+PmL1EcQMDXT/0LJXHLTrY4sk= =Js4Q -----END PGP SIGNATURE-----