CIVI-SA-2016-13: Improve secure flags on cookies

Published
2016-08-23 15:55
Written by

CiviCRM previously did not set secure flags to restrict cookies to SSL where appropriate. This was not a security risk by itself, but the change is being made and notified in security release information as part of a wider "defense in depth" process within CiviCRM.

Security Risk
Not Critical
Vulnerability
Other
Affected Versions

CiviCRM versions prior to 4.7.11 or 4.6.21

Fixed Versions

CiviCRM versions 4.7.11 or greater, or 4.6.21 or greater

Solutions

Upgrade to CiviCRM 4.7.11 or greater, or CiviCRM 4.6.21 or greater.

Credits

Chris Burgess of Fuzion Aotearoa

References
  • https://github.com/civicrm/civicrm-core/pull/7990
  • https://github.com/civicrm/civicrm-core/pull/8865
  • https://issues.civicrm.org/jira/browse/CRM-16900