CVE-2008-3661

Publication date 23 September 2008

Last updated 24 July 2024


Ubuntu priority

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Read the notes from the security team

Status

Package Ubuntu Release Status
drupal 9.04 jaunty Not in release
8.10 intrepid Not in release
8.04 LTS hardy Not in release
7.10 gutsy Not in release
7.04 feisty Ignored end of life, was needs-triage
6.06 LTS dapper Ignored
drupal5 9.04 jaunty Ignored
8.10 intrepid Ignored
8.04 LTS hardy Ignored
7.10 gutsy Ignored end of life, was needs-triage
7.04 feisty Not in release
6.06 LTS dapper Not in release

Notes


mdeslaur

Drupal doesn't consider this an issue. "It's your responsibility to set session.cookie_secure in the SSL virtual host if you want an SSL-only website." setting to "ignored"