Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

[Niels Thykier]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tags: patch

See http://svn.apache.org/viewvc?view=revision&revision=1037779

On 2010-12-29 18:29, Giuseppe Iuculano wrote:
> Package: tomcat6
> Severity: serious
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat6.
> 
> CVE-2010-4312[0]:
> | The default configuration of Apache Tomcat 6.x does not include the
> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
> | attackers to hijack a session via script access to a cookie.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
>     http://security-tracker.debian.org/tracker/CVE-2010-4312
> 
> 

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-java at lists.debian.org for discussions and questions.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJNG44oAAoJEAVLu599gGRCTqIP/2Fnz5WjJdsAZIqZ1MlGUIqa
G1/R7RIO3VslZ0WSt6mhoMrBNB6QXx11zJb+VLTrGz6dpH95yV7aL9+iio2ss0nK
fY99kAkAGOeaisH07vjxGV1Yudf67C9HJlWyMC9U406lA6ZEvpEx7xg5xBNgUskK
9czIMzo8WKxv8m9CM5y111bSYqO2w0vK9znKKHnexwXUxKMI9R0jFO5FHuHurKAj
6yRPgK5DX20X20NUgb1XhjlRN/UENJe2jmHkimwm6kjFAqtJKbBCqPAB9so6r1EO
nBRHKZks8aEXg6Ut6x0B+NBaM0nHdIoPclRju4vI931FZAIdMEkUsOmsLPfzCGq+
a1y38XgVI4pg6IL+N506UUdojdKfuD/UIDb/C5V6tew/TG/Vk3wCtYGynjKB4PAL
l1VC3Is5rxCWqG7Rb8uYueu9yqjtNbivVZEwL3ztb5py6+ylr2q13fwIJ74gIGae
D62jQmf8sOeTee6NOckdIHicdjxzWMoFjbERSUUCtHHw2CJdqlls5+xyErKgRZOI
2HwcyyLL6OO6jcBHzJO6w3gLM3YKxCKbABjP8EaANznX+D2o4yb9gJFY8CoVk/z8
bMVBPbUmu8nyBzYCWhJcANhoofzp/o6o5dLbeo4U7jqkC54WaN9iuH8EqQIQjFg6
jeZp3i9Bn2QyDRNxQCRA
=O110
-----END PGP SIGNATURE-----