diff -Nru cups-1.7.2/debian/changelog cups-1.7.2/debian/changelog
--- cups-1.7.2/debian/changelog	2018-06-22 17:53:17.000000000 +0000
+++ cups-1.7.2/debian/changelog	2018-11-16 19:07:12.000000000 +0000
@@ -1,3 +1,11 @@
+cups (1.7.2-0ubuntu1.11) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: predictable session cookies
+    - debian/patches/CVE-2018-4700.patch: use better seed in cgi-bin/var.c.
+    - CVE-2018-4700
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Nov 2018 14:07:12 -0500
+
 cups (1.7.2-0ubuntu1.10) trusty-security; urgency=medium
 
   * SECURITY UPDATE: scheduler crash via DBUS notifications
diff -Nru cups-1.7.2/debian/patches/CVE-2018-4700.patch cups-1.7.2/debian/patches/CVE-2018-4700.patch
--- cups-1.7.2/debian/patches/CVE-2018-4700.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-1.7.2/debian/patches/CVE-2018-4700.patch	2018-11-16 19:07:10.000000000 +0000
@@ -0,0 +1,25 @@
+Description: Fix predictable session cookies
+Origin: provided by upstream
+
+Index: cups-1.7.2/cgi-bin/var.c
+===================================================================
+--- cups-1.7.2.orig/cgi-bin/var.c	2018-11-16 14:07:07.181603280 -0500
++++ cups-1.7.2/cgi-bin/var.c	2018-11-16 14:07:07.173603254 -0500
+@@ -1221,6 +1221,7 @@ cgi_set_sid(void)
+   const char		*remote_addr,	/* REMOTE_ADDR */
+ 			*server_name,	/* SERVER_NAME */
+ 			*server_port;	/* SERVER_PORT */
++  struct timeval	curtime;	/* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1230,7 +1231,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
++  gettimeofday(&curtime, NULL);
++  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+ 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff -Nru cups-1.7.2/debian/patches/series cups-1.7.2/debian/patches/series
--- cups-1.7.2/debian/patches/series	2018-06-22 17:46:18.000000000 +0000
+++ cups-1.7.2/debian/patches/series	2018-11-16 19:07:05.000000000 +0000
@@ -63,3 +63,4 @@
 CVE-2017-18190.patch
 CVE-2017-18248.patch
 CVE-2018-418x.patch
+CVE-2018-4700.patch