Hi,
Last tuesday I upgraded squirrelmail on two centos-3 mailservers.
squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, httpd 2.0.46
Since then I have some users who have problems with their sessions. They are logout out every now and them, and some sent mails have another user address in the From header. It looks like squirrel is mixing up sessions? Those users have used fresh browser sesions.
Anyone else seeing this?
regards,
On Thu, Jan 15, 2009 at 03:25:50PM +0100, Henk van Lingen wrote:
Hi,
Last tuesday I upgraded squirrelmail on two centos-3 mailservers.
squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, httpd 2.0.46
Since then I have some users who have problems with their sessions. They are logout out every now and them, and some sent mails have another user address in the From header. It looks like squirrel is mixing up sessions? Those users have used fresh browser sesions.
Anyone else seeing this?
maybe a side effect of one the 2 security patches? * Mon Dec 1 2008 Michal Hlavinka mhlavink@redhat.com - 1.4.8-8 - Resolves: CVE-2008-2379 - fix XSS issue caused by an insufficient html mail sanitation
* Fri Nov 28 2008 Michal Hlavinka mhlavink@redhat.com - 1.4.8-7 - don't transmit cookies under non-SSL connections if the session is started under an SSL (https) connection - Resolves: CVE-2008-3663
I am not using squirrelmail, but the only CentOS specific patch is removing the splash logos.
Cheers,
Tru
On Thu, 15 Jan 2009 15:25:50 +0100 Henk van Lingen wrote:
Since then I have some users who have problems with their sessions. They are logout out every now and them, and some sent mails have another user address in the From header. It looks like squirrel is mixing up sessions? Those users have used fresh browser sesions.
I ran into something similar to this a while back when I tried to set up Firefox in /etc/skel before setting up the users on a Fedora 5/LTSP system.
Users who were simultaneously using Squirrelmail on the mailserver were getting into each others mailboxes. Jane was suddenly reading John's mail, and so on.
I don't know if it's a Squirrlemail issue or a Firefox issue. My theory is that the apparently random string that you get in ~/.mozilla/firefox named *.default has something to do with it, but I don't really know.
My solution was simply to not set up Firefox in /etc/skel and just create a new setup for each user after I created them. It took a bit longer than it would have otherwise but it worked and the Squirrelmail mailboxes didn't get confused.
On Thu, Jan 15, 2009 at 11:52:46AM -0600, Frank Cox wrote:
Since then I have some users who have problems with their sessions. They are logout out every now and them, and some sent mails have another user address in the From header. It looks like squirrel is mixing up sessions? Those users have used fresh browser sesions.
I don't know if it's a Squirrlemail issue or a Firefox issue. My theory is that the apparently random string that you get in ~/.mozilla/firefox named *.default has something to do with it, but I don't really know.
However, nothing changed in my firefox setup. And reinstalling the previous squirrel version (1.4.8-6.el3.centos.1) resolved the problem.
Cheers,
-
Frank Cox -
Henk van Lingen -
Tru Huynh