239054 CVE-2008-3663 2008-09-29 14:51 0000 mail-client/squirrelmail <1.4.16 Insecure cookie session hijacking (CVE-2008-3663) 2008-11-26 22:19:28 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.squirrelmail.org/ B4 [noglsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org eradicator@gentoo.org net-mail@gentoo.org tv@rz-zw.fh-kl.de rbu@gentoo.org 2008-09-29 14:51:32 0000 CVE-2008-3663 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3663): Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. rbu@gentoo.org 2008-09-29 15:08:53 0000 ANNOUNCE: SquirrelMail 1.4.16 Released Sep 28, 2008 by Thijs Kinkhorst The SquirrelMail team is happy to announce the release 1.4.16. The most notable change is that cookies are now sent with the secure attribute set for HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the same SquirrelMail installation. For details see the included ReleaseNotes. We advise users that offer their SquirrelMail both over HTTP and HTTPS to upgrade. dertobi123@gentoo.org 2008-10-01 19:00:22 0000 1.4.16 in CVS. dertobi123@gentoo.org 2008-10-27 19:28:28 0000 (In reply to comment #2) > 1.4.16 in CVS. > *ping* rbu@gentoo.org 2008-10-27 20:19:06 0000 Arches, please test and mark stable: =mail-client/squirrelmail-1.4.16 Target keywords : "alpha amd64 ppc ppc64 sparc x86" ranger@gentoo.org 2008-10-28 00:19:49 0000 ppc64 done rich0@gentoo.org 2008-10-29 02:00:35 0000 amd64 stable maekke@gentoo.org 2008-10-29 22:15:10 0000 x86 stable armin76@gentoo.org 2008-10-30 10:30:34 0000 alpha/sparc stable dertobi123@gentoo.org 2008-10-30 19:16:21 0000 ppc stable keytoaster@gentoo.org 2008-10-31 21:34:08 0000 Ready for vote, I vote YES. rbu@gentoo.org 2008-11-26 18:49:15 0000 I vote NO on this bug. It's not worse than any of your XSS issues, allowing for compromise of credentials when visiting a malicious link -- and more so, only if someone can tap your link. py@gentoo.org 2008-11-26 22:19:28 0000 no too and closing.