Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
Julien Cristau
jcristau at debian.org
Tue Jan 4 20:22:16 UTC 2011
user release.debian.org at packages.debian.org
usertag 608286 squeeze-can-defer
tag 608286 squeeze-ignore
kthxbye
On Wed, Dec 29, 2010 at 18:29:40 +0100, Giuseppe Iuculano wrote:
> Package: tomcat6
> Severity: serious
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat6.
>
> CVE-2010-4312[0]:
> | The default configuration of Apache Tomcat 6.x does not include the
> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
> | attackers to hijack a session via script access to a cookie.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
> http://security-tracker.debian.org/tracker/CVE-2010-4312
>
This can be fixed through squeeze-security if it's not ready for
squeeze, so tagging as -can-defer.
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20110104/ce73a48e/attachment.pgp>
More information about the pkg-java-maintainers
mailing list