diff -Nru cups-2.1.3/debian/changelog cups-2.1.3/debian/changelog
--- cups-2.1.3/debian/changelog	2018-06-22 17:45:38.000000000 +0000
+++ cups-2.1.3/debian/changelog	2018-11-16 19:06:39.000000000 +0000
@@ -1,3 +1,11 @@
+cups (2.1.3-4ubuntu0.6) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: predictable session cookies
+    - debian/patches/CVE-2018-4700.patch: use better seed in cgi-bin/var.c.
+    - CVE-2018-4700
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Nov 2018 14:06:39 -0500
+
 cups (2.1.3-4ubuntu0.5) xenial-security; urgency=medium
 
   * SECURITY UPDATE: scheduler crash via DBUS notifications
diff -Nru cups-2.1.3/debian/patches/CVE-2018-4700.patch cups-2.1.3/debian/patches/CVE-2018-4700.patch
--- cups-2.1.3/debian/patches/CVE-2018-4700.patch	1970-01-01 00:00:00.000000000 +0000
+++ cups-2.1.3/debian/patches/CVE-2018-4700.patch	2018-11-16 19:06:37.000000000 +0000
@@ -0,0 +1,25 @@
+Description: Fix predictable session cookies
+Origin: provided by upstream
+
+Index: cups-2.1.3/cgi-bin/var.c
+===================================================================
+--- cups-2.1.3.orig/cgi-bin/var.c	2018-11-16 14:06:34.553497975 -0500
++++ cups-2.1.3/cgi-bin/var.c	2018-11-16 14:06:34.549497962 -0500
+@@ -1211,6 +1211,7 @@ cgi_set_sid(void)
+   const char		*remote_addr,	/* REMOTE_ADDR */
+ 			*server_name,	/* SERVER_NAME */
+ 			*server_port;	/* SERVER_PORT */
++  struct timeval	curtime;	/* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1220,7 +1221,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
++  gettimeofday(&curtime, NULL);
++  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+ 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
diff -Nru cups-2.1.3/debian/patches/series cups-2.1.3/debian/patches/series
--- cups-2.1.3/debian/patches/series	2018-06-22 17:43:24.000000000 +0000
+++ cups-2.1.3/debian/patches/series	2018-11-16 19:06:33.000000000 +0000
@@ -59,3 +59,4 @@
 CVE-2017-18190.patch
 CVE-2017-18248.patch
 CVE-2018-418x.patch
+CVE-2018-4700.patch