Hi, Last tuesday I upgraded squirrelmail on two centos-3 mailservers. squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, httpd 2.0.46 Since then I have some users who have problems with their sessions. They are logout out every now and them, and some sent mails have another user address in the From header. It looks like squirrel is mixing up sessions? Those users have used fresh browser sesions. Anyone else seeing this? regards, -- Henk van Lingen, Systems Administrator & DBA (o- -+ Dept. of Computer Science, Utrecht University. /\ | phone: +31-30-2534107 v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
On Thu, Jan 15, 2009 at 03:25:50PM +0100, Henk van Lingen wrote:> > Hi, > > Last tuesday I upgraded squirrelmail on two centos-3 mailservers. > > squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, > httpd 2.0.46 > > Since then I have some users who have problems with their sessions. > They are logout out every now and them, and some sent mails have another > user address in the From header. It looks like squirrel is mixing up > sessions? Those users have used fresh browser sesions. > > Anyone else seeing this?maybe a side effect of one the 2 security patches? * Mon Dec 1 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.8-8 - Resolves: CVE-2008-2379 - fix XSS issue caused by an insufficient html mail sanitation * Fri Nov 28 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.8-7 - don't transmit cookies under non-SSL connections if the session is started under an SSL (https) connection - Resolves: CVE-2008-3663 I am not using squirrelmail, but the only CentOS specific patch is removing the splash logos. Cheers, Tru -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090115/ace625f5/attachment-0003.sig>
On Thu, 15 Jan 2009 15:25:50 +0100 Henk van Lingen wrote:> Since then I have some users who have problems with their sessions. > They are logout out every now and them, and some sent mails have another > user address in the From header. It looks like squirrel is mixing up > sessions? Those users have used fresh browser sesions.I ran into something similar to this a while back when I tried to set up Firefox in /etc/skel before setting up the users on a Fedora 5/LTSP system. Users who were simultaneously using Squirrelmail on the mailserver were getting into each others mailboxes. Jane was suddenly reading John's mail, and so on. I don't know if it's a Squirrlemail issue or a Firefox issue. My theory is that the apparently random string that you get in ~/.mozilla/firefox named *.default has something to do with it, but I don't really know. My solution was simply to not set up Firefox in /etc/skel and just create a new setup for each user after I created them. It took a bit longer than it would have otherwise but it worked and the Squirrelmail mailboxes didn't get confused. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com DRY CLEANER BUSINESS FOR SALE ~ http://www.canadadrycleanerforsale.com