Secure testing commits - Sep 2008 - r9893 - data/CVE

Author: thijs
Date: 2008-09-28 14:40:12 +0000 (Sun, 28 Sep 2008)
New Revision: 9893

Modified:
   data/CVE/list
Log:
squirrelmail fixed & no-dsa


Modified: data/CVE/list
==================================================================---
data/CVE/list	2008-09-28 08:49:20 UTC (rev 9892)
+++ data/CVE/list	2008-09-28 14:40:12 UTC (rev 9893)
@@ -1275,7 +1275,11 @@
 	NOT-FOR-US: XRMS
 CVE-2008-3663 [Squirrelmail: Session hijacking vulnerability]
 	RESERVED
-	- squirrelmail <unfixed> (bug #499942)
+	- squirrelmail 2:1.4.15-3 (low; bug #499942)
+	[etch] - squirrelmail <no-dsa> (less important and fix changes
behaviour)
+	NOTE: only relevant for installations that are also offered over http
+	NOTE: which isn''t normally a good idea anyway. Fixing in stable will
+	NOTE: change behaviour so not really suited for DSA.
 CVE-2008-3662 (Gallery before 1.5.9, and 2.x before 2.2.6, does not set the
secure ...)
 	- gallery 1.5.9-1
 	- gallery2 2.2.6-1

On Sunday 28 September 2008, thijs at alioth.debian.org
wrote:
> +	[etch] - squirrelmail <no-dsa> (less important and fix changes
> behaviour) +	NOTE: only relevant for installations that are also
> offered over http +	NOTE: which isn''t normally a good idea anyway.
> Fixing in stable will +	NOTE: change behaviour so not really suited
> for DSA.
I don''t think is accurate. The browser will happily send the session 
cookie unencrypted even if the target webserver gives e.g. a 302 or 
404 on the corresponding http URL. If a proxy is used, the 
squirrelmail server doesn''t even need to have port 80 open. All an 
attacker has to do is lure the victim to a page that has an http link 
to the squirrelmail server as an inline image and snoop the http 
request from the victim''s browser.

On Sun, September 28, 2008 23:52, Stefan Fritsch wrote:
> I don''t think is accurate. The browser will happily send the
session
> cookie unencrypted even if the target webserver gives e.g. a 302 or 404 on
> the corresponding http URL. If a proxy is used, the squirrelmail server
> doesn''t even need to have port 80 open. All an attacker has to do
is lure
> the victim to a page that has an http link to the squirrelmail server as
> an inline image and snoop the http request from the victim''s
browser.
Hmm, I didn''t realise that that would also work. Still, because of the
behaviour change I''m not eager to push it in a DSA.


Thijs