[Pkg-drupal-commits] r1933 - in /branches/drupal6/debian: README.Debian changelog

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Tue Oct 14 14:00:42 UTC 2008 

Author: luigi
Date: Tue Oct 14 14:00:41 2008
New Revision: 1933

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1933
Log:
Added a notice about cookie security and session.cookie_secure configuration (Ref: CVE-2008-3661) (Closes: #501058)

Modified:
    branches/drupal6/debian/README.Debian
    branches/drupal6/debian/changelog

Modified: branches/drupal6/debian/README.Debian
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/README.Debian?rev=1933&op=diff
==============================================================================
--- branches/drupal6/debian/README.Debian (original)
+++ branches/drupal6/debian/README.Debian Tue Oct 14 14:00:41 2008
@@ -10,6 +10,7 @@
 7.  Upgrading database from previous versions
 8.  Virtual hosts
 9.  Additional themes and modules
+10. Privacy of session cookies
 
 A.  Customizing themes
 B.  Links for more support
@@ -128,6 +129,21 @@
  # ln -s /usr/local/share/drupal/themes /usr/share/drupal6/themes/local
 
 
+10. Privacy of session cookies
+------------------------------
+
+Drupal does not set the secure flag for the session cookie in an https
+session, which can cause the cookie to be sent in http requests and make
+it easier for remote attackers to capture this cookie.
+
+If you are using drupal on an https connection you can fix this issue
+setting the session.cookie_secure PHP properties to on either in the
+global PHP configuration file or adding the following line to
+/etc/drupal/6/htaccess:
+
+  php_value session.cookie_secure 1
+
+
 A. Customizing themes
 ---------------------
 To create or customize a theme for your site, I recommend to start

Modified: branches/drupal6/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/changelog?rev=1933&op=diff
==============================================================================
--- branches/drupal6/debian/changelog (original)
+++ branches/drupal6/debian/changelog Tue Oct 14 14:00:41 2008
@@ -6,6 +6,10 @@
   * debian/patches/11-SA-2008-060
     - Added upstream patch fixing several security vulnerabilities
       (Ref: SA-2008-060, CVE-TBA) (Closes: #501640)
+
+  * debian/README.Debian
+    - Added a notice about cookie security and session.cookie_secure
+      configuration (Ref: CVE-2008-3661) (Closes: #501058)
 
  -- Luigi Gangitano <luigi at debian.org>  Fri, 14 Oct 2008 15:47:20 +0200

More information about the Pkg-drupal-commits mailing list