CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squirrelmail (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Dapper |
Fix Released
|
Undecided
|
Unassigned | ||
Gutsy |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: squirrelmail
=== Official description ===
An issue was fixed that allowed the cookies of a session started
over SSL (https) to be transmitted over HTTP aswell. This affects
installations that offer SquirrelMail both over HTTP and HTTPS.
This is known as setting the "secure" flag of the cookie.
An override option has been added that can be used when you have
a need to continue a session over HTTP that has been started over
HTTPS, although we do not recommend that.
=== Further info ===
http://
=== Affects ===
jaunty: already fixed (from debian)
intrepid: already fixed (from debian)
hardy: affected
gutsy: affected
dapper: affected
dapper/backports: affected; new backport from gutsy should be made after this has been fixed
=== More info ===
The debdiffs for gutsy and dapper contains the patch for CVE-2008-2379 (see bug 306536) as well.
Changed in squirrelmail: | |
assignee: | mdeslaur → nobody |
status: | Incomplete → Fix Committed |
Changed in squirrelmail (Ubuntu Dapper): | |
status: | Fix Committed → Fix Released |
squirrelmail (2:1.4. 13-2ubuntu1. 2) hardy-security; urgency=low
* SECURITY UPDATE: Cookies sent over HTTPS will now be confined to www.squirrelmai l.org/security/ issue/2008- 09-28
HTTPS only (cookie secure flag) and more support for the HTTPOnly
cookie attribute. Patch taken from upstream release. (LP: #328938)
- CVE-2008-3663
- http://