CVE-2013-2249

Name	CVE-2013-2249
Description	mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apache2 (PTS)	buster	2.4.38-3+deb10u8	fixed
	buster (security)	2.4.38-3+deb10u10	fixed
	bullseye	2.4.56-1~deb11u2	fixed
	bullseye (security)	2.4.56-1~deb11u1	fixed
	bookworm, sid	2.4.57-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
apache2	source	squeeze	(not affected)
apache2	source	wheezy	(not affected)
apache2	source	(unstable)	2.4.6-1

Notes

[wheezy] - apache2 <not-affected> (mod_session_dbd available apache 2.3 and later only)
[squeeze] - apache2 <not-affected> (mod_session_dbd available apache 2.3 and later only)