Launchpad CVE tracker

CVE 2008-3663

Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Related bugs and status

CVE-2008-3663 (Candidate) is related to these bugs:

Bug #306536: CVE-2008-2379 insufficient input sanitising

		In	Importance	Status
306536	CVE-2008-2379 insufficient input sanitising	squirrelmail (Ubuntu)	Medium	Fix Released
306536	CVE-2008-2379 insufficient input sanitising	squirrelmail (Ubuntu Dapper)	Medium	Fix Released
306536	CVE-2008-2379 insufficient input sanitising	squirrelmail (Ubuntu Gutsy)	Medium	Fix Released
306536	CVE-2008-2379 insufficient input sanitising	squirrelmail (Ubuntu Hardy)	Medium	Fix Released
306536	CVE-2008-2379 insufficient input sanitising	squirrelmail (Ubuntu Jaunty)	Medium	Fix Released
306536	CVE-2008-2379 insufficient input sanitising	squirrelmail (Ubuntu Intrepid)	Medium	Fix Released

Bug #321304: default configuration of squirrelmail-secure-login doesn't work

Summary				In	Importance	Status
	321304	default configuration of squirrelmail-secure-login doesn't work		squirrelmail-secure-login (Ubuntu)	Undecided	Fix Released

Bug #328938: CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL

		In	Importance	Status
328938	CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL	squirrelmail (Ubuntu)	Undecided	Fix Released
328938	CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL	squirrelmail (Ubuntu Hardy)	Undecided	Fix Released
328938	CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL	squirrelmail (Ubuntu Gutsy)	Undecided	Fix Released
328938	CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL	squirrelmail (Ubuntu Dapper)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2008-3663

References