CVE-2008-3663

NameCVE-2008-3663
DescriptionSquirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs499942

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squirrelmail (PTS)jessie, jessie (lts)2:1.4.23~svn20120406-2+deb8u5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squirrelmailsource(unstable)2:1.4.15-3low499942

Notes

[etch] - squirrelmail <no-dsa> (less important and fix changes behaviour)
only relevant for installations that are also offered over http
which isn't normally a good idea anyway. Fixing in stable will
change behaviour so not really suited for DSA.

Search for package or bug name: Reporting problems