Bug 987543 (CVE-2013-2249)

Summary: CVE-2013-2249 httpd: mod_session_dbd session fixation flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jkaluza, jkurik, jorton, pahan, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130722,reported=20130723,source=cve,cvss2=2.6/AV:N/AC:H/Au:N/C:N/I:P/A:N,rhel-4/httpd=notaffected,rhel-5/httpd=notaffected,rhel-6/httpd=notaffected,rhel-7/httpd=notaffected,fedora-all/httpd=affected,cwe=CWE-384[auto]
Fixed In Version: httpd 2.4.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 15:32:16 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 987544, 987545    
Bug Blocks:    

Description Vincent Danen 2013-07-23 11:42:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2249 to
the following vulnerability:

Name: CVE-2013-2249
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249
Assigned: 20130219
Reference: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h
Reference: http://www.apache.org/dist/httpd/CHANGES_2.4.6

mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP
Server before 2.4.5 proceeds with save operations for a session
without considering the dirty flag and the requirement for a new
session ID, which has unspecified impact and remote attack vectors.
Comment 2 Vincent Danen 2013-07-23 11:45:12 EDT
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 987545]
Comment 3 Vincent Danen 2013-07-23 11:47:23 EDT

Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4, 5, or 6 as they did not include the mod_session_dbd module.
Comment 4 Fedora Update System 2013-08-09 13:11:02 EDT
httpd-2.4.6-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-08-16 19:03:25 EDT
httpd-2.4.6-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.