On Thu, Jan 15, 2009 at 03:25:50PM +0100, Henk van Lingen wrote: > > Hi, > > Last tuesday I upgraded squirrelmail on two centos-3 mailservers. > > squirrelmail-1.4.8-8.el3.centos.1, 2.4.21-58.ELsmp, CentOS release 3.9, > httpd 2.0.46 > > Since then I have some users who have problems with their sessions. > They are logout out every now and them, and some sent mails have another > user address in the From header. It looks like squirrel is mixing up > sessions? Those users have used fresh browser sesions. > > Anyone else seeing this? maybe a side effect of one the 2 security patches? * Mon Dec 1 2008 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 1.4.8-8 - Resolves: CVE-2008-2379 - fix XSS issue caused by an insufficient html mail sanitation * Fri Nov 28 2008 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 1.4.8-7 - don't transmit cookies under non-SSL connections if the session is started under an SSL (https) connection - Resolves: CVE-2008-3663 I am not using squirrelmail, but the only CentOS specific patch is removing the splash logos. Cheers, Tru -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
Attachment:
pgpZgNYfYPBpd.pgp
Description: PGP signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
