Ubuntu
squirrelmail-secure-login package

default configuration of squirrelmail-secure-login doesn't work

Bug #321304 reported by J. Bruce Fields
4
Affects Status Importance Assigned to Milestone
squirrelmail-secure-login (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: squirrelmail-secure-login

The secure-login-config.php is installed with a default of:

        $change_back_to_http_after_login = 1;

even though, as noted in
/usr/share/doc/squirrelmail-secure-login/README.gz,

        If you turn on $change_back_to_http_after_login under
        SquirrelMail 1.5.2 and above, you will be unable to log in
        because by default, SquirrelMail 1.5 will only transmit cookies
        securely if the user's session started under https://. If you
        really want to revert to an unencrypted connection after user
        login, you need to run the SquirrelMail configuration utility
        and change the "Only secure cookies if poss." setting (under
        "General Options") to "false".

It would be more user-friendly to provide a default configuration that
is compatible with the default configuration of squirrelmail. Also,
change_back_to_http_after_login = 0 seems the more conservative default.

I'm on intrepid, with squirrelmail 2:1.4.15-3ubuntu0.1 and squirrelmail-secure-login 1.4-1.

CVE References

Revision history for this message
jhr (hauke.rahm) wrote : Re: [Bug 321304] [NEW] default configuration of squirrelmail-secure-login doesn't work

Hi,

thanks for your bug report!

On Sun, Jan 25, 2009 at 11:44:16PM -0000, J. Bruce Fields wrote:
> It would be more user-friendly to provide a default configuration that
> is compatible with the default configuration of squirrelmail. Also,
> change_back_to_http_after_login = 0 seems the more conservative default.

As you correctly quoted from README.gz this is default behaviour for
SquirrelMail 1.5.2 and above. That is as a matter of fact the
development branch of SquirrelMail aud thus part of Debian's
experimental tree. It is not to be included in Debian's distribution
(for a stable release) until it reaches a more stable state (and changes
its release number to 1.6 or even 2.0).

> I'm on intrepid, with squirrelmail 2:1.4.15-3ubuntu0.1 and squirrelmail-
> secure-login 1.4-1.

Right, Debian and Ubuntu ship with SquirrelMail 1.4.x and here the
standard configuration makes sense (at least under some circumstances).

It might be true that most users find it reasonable to have
change_back_to_http_after_login set to 0 but I don't think it's that a
big deal to simply change it. :)
Since Debian is in hard freeze for its next release I'm not going to
change default configuration now. I'll talk to upstream when a new
version comes up about changing it there.

Hauke

Revision history for this message
J. Bruce Fields (bfields-fieldses) wrote :

That's odd; my unmodified installation of squirrelmail (I ran the config script just to set the imap configuration), only worked after change_back_to_http_after_login was cleared. And checking config.php, I see $only_secure_cookies is set to true.

Ah-hah: looking at the debian changelog:

squirrelmail (2:1.4.15-3) unstable; urgency=high

  * Cookies sent over HTTPS will now be confined to HTTPS only
    (cookie secure flag) and more support for the HTTPOnly cookie
    attribute. Patch taken from upstream release.
    (CVE-2008-3663, closes: #499942)

 -- Thijs Kinkhorst <email address hidden> Sun, 28 Sep 2008 16:33:48 +0200

Revision history for this message
Patrick Valencia (pvalencia357) wrote :

I've noticed the same thing, and in its current state, it's unusable without being manually changed. After installing it, it took me 2+ days to figure out what was wrong with it and why I couldn't log in.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squirrelmail-secure-login - 1.4-2

---------------
squirrelmail-secure-login (1.4-2) unstable; urgency=medium

  * Changed default configuration (using quilt):
    + $change_back_to_http_after_login = 0 (LP: #321304)
    + $sl_securePort = '443'
  * debian/control: Added VCS info
  * debian/post{inst,rm} cleanup (lintian warnings)
  * debian/control: ${misc:Depends} added
  * debian/rules: Switching to debhelper 7 style
  * Bumped to new policy 3.8.1: no changes
  * DM-Upload-Allowed: yes

 -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 01 Jun 2009 10:46:29 +0100

Changed in squirrelmail-secure-login (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.