From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2249 to the following vulnerability: Name: CVE-2013-2249 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2249 Assigned: 20130219 Reference: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h Reference: http://www.apache.org/dist/httpd/CHANGES_2.4.6 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-2249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2249): mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.
2.4.6 is in tree According to CVE, 2.2.* is affected :-( @maintainers: what should we do? 2.4.* is a major update IIRC
Well apache-2.4 still isn't ready for stabilization yet (see "Depends on" bug). Latest 2.2 apache version is 2.2.26 although I don't know if that version has the fix for this bug.
mod_session_dbd is new in 2.4, so this doesn't affect 2.2.
This only affects the 2.4.6 branch of apache and was fixed in Version 2.4.6. Current no stable version is 2.4.10-r1 in tree. No GLSA needed as there are no stable versions.