On Thu, Jan 15, 2009 at 03:25:50PM +0100, Henk van Lingen wrote:
Hi,
Last tuesday I upgraded squirrelmail on two centos-3 mailservers.
squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, httpd 2.0.46
Since then I have some users who have problems with their sessions. They are logout out every now and them, and some sent mails have another user address in the From header. It looks like squirrel is mixing up sessions? Those users have used fresh browser sesions.
Anyone else seeing this?
maybe a side effect of one the 2 security patches? * Mon Dec 1 2008 Michal Hlavinka mhlavink@redhat.com - 1.4.8-8 - Resolves: CVE-2008-2379 - fix XSS issue caused by an insufficient html mail sanitation
* Fri Nov 28 2008 Michal Hlavinka mhlavink@redhat.com - 1.4.8-7 - don't transmit cookies under non-SSL connections if the session is started under an SSL (https) connection - Resolves: CVE-2008-3663
I am not using squirrelmail, but the only CentOS specific patch is removing the splash logos.
Cheers,
Tru