Threat-wise it's insignificant. There are no plans to backport it at present. Best to plan an upgrade to benefit from all the other important security benefits in 1.3.9 though.
Type: Posts; User: DrByte
Threat-wise it's insignificant. There are no plans to backport it at present. Best to plan an upgrade to benefit from all the other important security benefits in 1.3.9 though.
At its basic level, v1.3.9 already protects against that problem, since it automatically re-sets the cookie value once it discovers the invalid value.
It can be reported as a false-positive...