Bug 239054 (CVE-2008-3663)

Comment 1 Robert Buchholz (RETIRED) 2008-09-29 15:08:53 UTC

ANNOUNCE: SquirrelMail 1.4.16 Released
Sep 28, 2008 by Thijs Kinkhorst
 	
The SquirrelMail team is happy to announce the release 1.4.16. The most notable change is that cookies are now sent with the secure attribute set for HTTPS-connections, meaning that they cannot leak to an HTTP-connection on the same SquirrelMail installation. For details see the included ReleaseNotes. We advise users that offer their SquirrelMail both over HTTP and HTTPS to upgrade.

Comment 2 Tobias Scherbaum (RETIRED) 2008-10-01 19:00:22 UTC

1.4.16 in CVS.

Comment 3 Tobias Scherbaum (RETIRED) 2008-10-27 19:28:28 UTC

(In reply to comment #2)
> 1.4.16 in CVS.
> 

*ping*

Comment 4 Robert Buchholz (RETIRED) 2008-10-27 20:19:06 UTC

Arches, please test and mark stable:
=mail-client/squirrelmail-1.4.16
Target keywords : "alpha amd64 ppc ppc64 sparc x86"

Comment 5 Brent Baude (RETIRED) 2008-10-28 00:19:49 UTC

ppc64 done

Comment 6 Richard Freeman 2008-10-29 02:00:35 UTC

amd64 stable

Comment 7 Markus Meier 2008-10-29 22:15:10 UTC

x86 stable

Comment 8 Raúl Porcel (RETIRED) 2008-10-30 10:30:34 UTC

alpha/sparc stable

Comment 9 Tobias Scherbaum (RETIRED) 2008-10-30 19:16:21 UTC

ppc stable

Comment 10 Tobias Heinlein (RETIRED) 2008-10-31 21:34:08 UTC

Ready for vote, I vote YES.

Comment 11 Robert Buchholz (RETIRED) 2008-11-26 18:49:15 UTC

I vote NO on this bug. It's not worse than any of your XSS issues, allowing for compromise of credentials when visiting a malicious link -- and more so, only if someone can tap your link.

Comment 12 Pierre-Yves Rofes (RETIRED) 2008-11-26 22:19:28 UTC

no too and closing.