| Name | CVE-2008-3661 |
| Description | Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 501058, 501063 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| drupal5 | source | (unstable) | 5.10-2 | low | 501063 | |
| drupal6 | source | (unstable) | 6.4-2 | low | 501058 |
drupal upstreams advise the users to set session.cookie_secure in the php configuration
to fix this has been documented in README.Debian