Gentoo Bug 239054 - mail-client/squirrelmail <1.4.16 Insecure cookie session hijacking (CVE-2008-3663)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	239054
Alias:
Product:
Component:
Status:	NEW
Resolution:
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 239054 depends on:			Show dependency tree Show dependency graph
Bug 239054 blocks:			Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as NEW
Accept bug (change status to ASSIGNED)
Resolve bug, changing resolution to
Resolve bug, mark it as duplicate of bug #
Reassign bug to
Reassign bug to default assignee of selected component

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-09-29 14:51 0000

CVE-2008-3663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3663):
  Squirrelmail 1.4.15 does not set the secure flag for the session
  cookie in an https session, which can cause the cookie to be sent in
  http requests and make it easier for remote attackers to capture this
  cookie.

------- Comment #1 From Robert Buchholz 2008-09-29 15:08:53 0000 -------

ANNOUNCE: SquirrelMail 1.4.16 Released
Sep 28, 2008 by Thijs Kinkhorst

The SquirrelMail team is happy to announce the release 1.4.16. The most notable
change is that cookies are now sent with the secure attribute set for
HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the
same SquirrelMail installation. For details see the included ReleaseNotes. We
advise users that offer their SquirrelMail both over HTTP and HTTPS to upgrade.

------- Comment #2 From Tobias Scherbaum 2008-10-01 19:00:22 0000 -------

1.4.16 in CVS.

------- Comment #3 From Tobias Scherbaum 2008-10-27 19:28:28 0000 -------

(In reply to comment #2)
> 1.4.16 in CVS.
> 

*ping*

------- Comment #4 From Robert Buchholz 2008-10-27 20:19:06 0000 -------

Arches, please test and mark stable:
=mail-client/squirrelmail-1.4.16
Target keywords : "alpha amd64 ppc ppc64 sparc x86"

------- Comment #5 From Brent Baude 2008-10-28 00:19:49 0000 -------

ppc64 done

------- Comment #6 From Richard Freeman 2008-10-29 02:00:35 0000 -------

amd64 stable

------- Comment #7 From Markus Meier 2008-10-29 22:15:10 0000 -------

x86 stable

------- Comment #8 From Raúl Porcel 2008-10-30 10:30:34 0000 -------

alpha/sparc stable

------- Comment #9 From Tobias Scherbaum 2008-10-30 19:16:21 0000 -------

ppc stable

------- Comment #10 From Tobias Heinlein 2008-10-31 21:34:08 0000 -------

Ready for vote, I vote YES.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 239054

mail-client/squirrelmail <1.4.16 Insecure cookie session hijacking (CVE-2008-3663)

Last modified: 2008-10-31 21:34:08 0000