Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

tony mancill tmancill at debian.org
Fri Dec 31 15:57:13 UTC 2010 

FYI, we applied patches for that Apache upstream SVN revision as part of
CVE-2010-4172.  I reviewed the patch posted here [0], and we already
have all of it except for this bit.

@@ -54,7 +56,7 @@
</tr>
<tr>
<th>Guessed Locale</th>
- - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession)
%></td>
+ <td><%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSessi
on))
%></td>
</tr>
<tr>
<th>Guessed User</th>


I'll prepare an upload that includes this patch, but otherwise I believe
we've already addressed this due to the overlap of the response with
CVE-2010-4172.

Thank you,
tony

[0] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded


On 12/29/2010 11:39 AM, Niels Thykier wrote:
> Tags: patch
> 
> See http://svn.apache.org/viewvc?view=revision&revision=1037779
> 
> (sorry for double mail to pkg-java list)
> 
> On 2010-12-29 18:29, Giuseppe Iuculano wrote:
>> Package: tomcat6
>> Severity: serious
>> Tags: security
> 
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for tomcat6.
> 
>> CVE-2010-4312[0]:
>> | The default configuration of Apache Tomcat 6.x does not include the
>> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
>> | attackers to hijack a session via script access to a cookie.
> 
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
> 
>> For further information see:
> 
>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
>>     http://security-tracker.debian.org/tracker/CVE-2010-4312
> 
> 
> 
> __
> This is the maintainer address of Debian's Java team
> <http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
> Please use
> debian-java at lists.debian.org for discussions and questions.
> 
> 

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-java at lists.debian.org for discussions and questions.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20101231/ceb830b0/attachment.pgp>

More information about the pkg-java-maintainers mailing list