[Pkg-drupal-commits] r1933 - in /branches/drupal6/debian: README.Debian changelog
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Tue Oct 14 14:00:42 UTC 2008
Author: luigi
Date: Tue Oct 14 14:00:41 2008
New Revision: 1933
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1933
Log:
Added a notice about cookie security and session.cookie_secure configuration (Ref: CVE-2008-3661) (Closes: #501058)
Modified:
branches/drupal6/debian/README.Debian
branches/drupal6/debian/changelog
Modified: branches/drupal6/debian/README.Debian
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/README.Debian?rev=1933&op=diff
==============================================================================
--- branches/drupal6/debian/README.Debian (original)
+++ branches/drupal6/debian/README.Debian Tue Oct 14 14:00:41 2008
@@ -10,6 +10,7 @@
7. Upgrading database from previous versions
8. Virtual hosts
9. Additional themes and modules
+10. Privacy of session cookies
A. Customizing themes
B. Links for more support
@@ -128,6 +129,21 @@
# ln -s /usr/local/share/drupal/themes /usr/share/drupal6/themes/local
+10. Privacy of session cookies
+------------------------------
+
+Drupal does not set the secure flag for the session cookie in an https
+session, which can cause the cookie to be sent in http requests and make
+it easier for remote attackers to capture this cookie.
+
+If you are using drupal on an https connection you can fix this issue
+setting the session.cookie_secure PHP properties to on either in the
+global PHP configuration file or adding the following line to
+/etc/drupal/6/htaccess:
+
+ php_value session.cookie_secure 1
+
+
A. Customizing themes
---------------------
To create or customize a theme for your site, I recommend to start
Modified: branches/drupal6/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal6/debian/changelog?rev=1933&op=diff
==============================================================================
--- branches/drupal6/debian/changelog (original)
+++ branches/drupal6/debian/changelog Tue Oct 14 14:00:41 2008
@@ -6,6 +6,10 @@
* debian/patches/11-SA-2008-060
- Added upstream patch fixing several security vulnerabilities
(Ref: SA-2008-060, CVE-TBA) (Closes: #501640)
+
+ * debian/README.Debian
+ - Added a notice about cookie security and session.cookie_secure
+ configuration (Ref: CVE-2008-3661) (Closes: #501058)
-- Luigi Gangitano <luigi at debian.org> Fri, 14 Oct 2008 15:47:20 +0200
More information about the Pkg-drupal-commits
mailing list