On Thu, Jan 15, 2009 at 03:25:50PM +0100, Henk van Lingen wrote: > > Hi, > > Last tuesday I upgraded squirrelmail on two centos-3 mailservers. > > squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, > httpd 2.0.46 > > Since then I have some users who have problems with their sessions. > They are logout out every now and them, and some sent mails have another > user address in the From header. It looks like squirrel is mixing up > sessions? Those users have used fresh browser sesions. > > Anyone else seeing this? maybe a side effect of one the 2 security patches? * Mon Dec 1 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.8-8 - Resolves: CVE-2008-2379 - fix XSS issue caused by an insufficient html mail sanitation * Fri Nov 28 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.8-7 - don't transmit cookies under non-SSL connections if the session is started under an SSL (https) connection - Resolves: CVE-2008-3663 I am not using squirrelmail, but the only CentOS specific patch is removing the splash logos. Cheers, Tru -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090115/ace625f5/attachment-0004.sig>