CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL

squirrelmail (2:1.4.13-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter.
    Patch taken from upstream release. (LP: #306536)
    - CVE-2008-2379
    - http://www.squirrelmail.org/security/issue/2008-12-04
  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

squirrelmail (2:1.4.6-1ubuntu0.2) dapper-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter.
    Patch taken from upstream release. (LP: #306536)
    - CVE-2008-2379
    - http://www.squirrelmail.org/security/issue/2008-12-04
  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

Thank you for the debdiffs! I have set the bug to "In Progress" so that we will notice them when doing patch review. Have you tested each of the patches you created that they both build and operate correctly for each release?

All the above debdiffs has been both build and tested that they work on each release in question.

Thanks for the debdiffs Andreas.

I'm preparing packages for gutsy and hardy now.

For dapper, it seems the debdiff is missing. It looks like the gutsy one got uploaded twice by mistake.

Could you please re-attach it?

Also, our cve tracker says dapper may still be vulnerable to CVE-2006-3174 and CVE-2006-3665. Is this something you've looked at?

Thanks!

My mistake; here is the right file.

For CVE-2006-3174 and CVE-2006-3665 they both only occur if using register_globals. The Squirrelmail team defines this as a serious no-go, and will in general not even provide patches for it.

I'll take a look at both of them in any case though.

Thanks Andreas,

The register_globals requirement explains why I couldn't find any details on the other issues.

I'll build the dapper update with the debdiff you've provided.

This bug was fixed in the package squirrelmail - 2:1.4.10a-2ubuntu0.1

---------------
squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: cross site scripting issue in the HTML filter.
    Patch taken from upstream release. (LP: #306536)
    - CVE-2008-2379
    - http://www.squirrelmail.org/security/issue/2008-12-04
  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

 -- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 08:03:02 +0100

This bug was fixed in the package squirrelmail - 2:1.4.13-2ubuntu1.2

---------------
squirrelmail (2:1.4.13-2ubuntu1.2) hardy-security; urgency=low

  * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to
    HTTPS only (cookie secure flag) and more support for the HTTPOnly
    cookie attribute. Patch taken from upstream release. (LP: #328938)
    - CVE-2008-3663
    - http://www.squirrelmail.org/security/issue/2008-09-28

 -- Andreas Wenning <email address hidden> Fri, 13 Feb 2009 07:53:14 +0100