[Pkg-drupal-commits] r1935 - in /branches/drupal-5.0/debian: README.Debian changelog

luigi at users.alioth.debian.org luigi at users.alioth.debian.org
Tue Oct 14 14:09:04 UTC 2008 

Author: luigi
Date: Tue Oct 14 14:09:04 2008
New Revision: 1935

URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1935
Log:
Added a notice about cookie security and session.cookie_secure configuration (Ref: CVE-2008-3661) (Closes: #501063)

Modified:
    branches/drupal-5.0/debian/README.Debian
    branches/drupal-5.0/debian/changelog

Modified: branches/drupal-5.0/debian/README.Debian
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/README.Debian?rev=1935&op=diff
==============================================================================
--- branches/drupal-5.0/debian/README.Debian (original)
+++ branches/drupal-5.0/debian/README.Debian Tue Oct 14 14:09:04 2008
@@ -9,8 +9,9 @@
 6.  Apache config file and php4 CGI version
 7.  Securing your portal
 8.  Upgrading database from previous versions
-8.  Virtual hosts
+9.  Virtual hosts
 10. Additional themes and modules
+11. Privacy of session cookies
 
 A.  Customizing themes
 B.  Links for more support
@@ -149,6 +150,21 @@
  # ln -s /usr/local/share/drupal/themes /usr/share/drupal/themes/local
 
 
+11. Privacy of session cookies
+------------------------------
+
+Drupal does not set the secure flag for the session cookie in an https
+session, which can cause the cookie to be sent in http requests and make
+it easier for remote attackers to capture this cookie.
+
+If you are using drupal on an https connection you can fix this issue
+setting the session.cookie_secure PHP properties to on either in the
+global PHP configuration file or adding the following line to
+/etc/drupal/5/htaccess:
+
+  php_value session.cookie_secure 1
+
+
 A. Customizing themes
 ---------------------
 To create or customize a theme for your site, I recommend to start

Modified: branches/drupal-5.0/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/drupal-5.0/debian/changelog?rev=1935&op=diff
==============================================================================
--- branches/drupal-5.0/debian/changelog (original)
+++ branches/drupal-5.0/debian/changelog Tue Oct 14 14:09:04 2008
@@ -9,6 +9,10 @@
 
   * debian/cron.sh
     - Fixed error when BASE_URL is not cleaned (Closes: #494208, #498806)
+
+  * debian/README.Debian
+    - Added a notice about cookie security and session.cookie_secure
+      configuration (Ref: CVE-2008-3661) (Closes: #501063)
 
  -- Luigi Gangitano <luigi at debian.org>  Fri,  8 Oct 2008 01:45:38 +0200

More information about the Pkg-drupal-commits mailing list