I am not a really security expert, but I use Openvas to test my servers/networks. Openvas on my Zimbra server tell me that:
High https (443/tcp)
High (CVSS: 6.4)
NVT: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability
I use Release 8.0.6.GA.5922.UBUNTU10.64 UBUNTU10_64 NETWORK edition (I know I have to upgrade to 8.0.7, but I already applied the heartbleed patch)
As I have 3 domains on my server, proxy is running.
I cannot find where I can set the 'secure' attribute for any cookies that are sent over an SSL connection.
Zimbra is only accessible via https (firewall), but I put the openvas server on the zimbra DMZ, so it scanned zimbra without beeing filtered by my firewall). So I think it is not a security hole, as I know my firewall is denying http access, but I would like to understand.
Hope someone can help me,