CVE-2008-3661 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3661): Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
It looks like upstream is not inclined to fix this problem: http://drupal.org/node/315703 Qoute: "we consider that this is a configuration problem. It's your responsibility to set session.cookie_secure in the SSL virtual host if you want an SSL-only website."
Added a notice + ewarn which is similar to what Fedora did to resolve this issue. Closing noglsa. Index: postinstall-en.txt =================================================================== RCS file: /var/cvsroot/gentoo-x86/www-apps/drupal/files/postinstall-en.txt,v retrieving revision 1.3 diff -u -B -r1.3 postinstall-en.txt --- postinstall-en.txt 6 Dec 2007 14:40:54 -0000 1.3 +++ postinstall-en.txt 5 Mar 2010 13:01:29 -0000 @@ -13,4 +13,13 @@ and provide the credential required for the database access. +SECURITY NOTICE: If you use SSL on your Drupal installation, you +should enable the PHP configuration option `session.cookie-secure' +to make it harder for attackers to sniff session cookies. + +References: +CVE-2008-3661 +http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-secure +http://drupal.org/node/315703 +
