[Bug 328938] [NEW] CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL
Andreas Wenning
awen at awen.dk
Fri Feb 13 06:53:00 UTC 2009
Public bug reported:
Binary package hint: squirrelmail
=== Official description ===
An issue was fixed that allowed the cookies of a session started
over SSL (https) to be transmitted over HTTP aswell. This affects
installations that offer SquirrelMail both over HTTP and HTTPS.
This is known as setting the "secure" flag of the cookie.
An override option has been added that can be used when you have
a need to continue a session over HTTP that has been started over
HTTPS, although we do not recommend that.
=== Further info ===
http://www.squirrelmail.org/security/issue/2008-09-28
=== Affects ===
jaunty: already fixed (from debian)
intrepid: already fixed (from debian)
hardy: affected
gutsy: affected
dapper: affected
dapper/backports: affected; new backport from gutsy should be made after this has been fixed
=== More info ===
The debdiffs for gutsy and dapper contains the patch for CVE-2008-2379 (see bug 306536) as well.
** Affects: squirrelmail (Ubuntu)
Importance: Undecided
Status: New
--
CVE-2008-3663 Cookies for SSL connection could be sent over non-SSL
https://bugs.launchpad.net/bugs/328938
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list