| Name | CVE-2008-3663 |
| Description | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 499942 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| squirrelmail (PTS) | jessie, jessie (lts) | 2:1.4.23~svn20120406-2+deb8u5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| squirrelmail | source | (unstable) | 2:1.4.15-3 | low | 499942 |
[etch] - squirrelmail <no-dsa> (less important and fix changes behaviour)
only relevant for installations that are also offered over http
which isn't normally a good idea anyway. Fixing in stable will
change behaviour so not really suited for DSA.