[CentOS] Squirrel 1.4.8-8.el3.centos.1

Thu Jan 15 14:48:01 UTC 2009
Tru Huynh <tru at centos.org>

On Thu, Jan 15, 2009 at 03:25:50PM +0100, Henk van Lingen wrote:
> Hi,
> Last tuesday I upgraded squirrelmail on two centos-3 mailservers.
> squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9,
> httpd 2.0.46
> Since then I have some users who have problems with their sessions.
> They are logout out every now and them, and some sent mails have another
> user address in the From header. It looks like squirrel is mixing up
> sessions? Those users have used fresh browser sesions.
> Anyone else seeing this?

maybe a side effect of one the 2 security patches?
* Mon Dec 1 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.8-8
- Resolves: CVE-2008-2379
- fix XSS issue caused by an insufficient html mail sanitation

* Fri Nov 28 2008 Michal Hlavinka <mhlavink at redhat.com> - 1.4.8-7
- don't transmit cookies under non-SSL connections if the session
  is started under an SSL (https) connection
- Resolves: CVE-2008-3663

I am not using squirrelmail, but the only CentOS specific patch
is removing the splash logos.


Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20090115/ace625f5/attachment-0005.sig>