Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Thijs Kinkhorst thijs at debian.org
Wed May 30 12:30:58 UTC 2012

severity 608286 minor

> httpOnly has been made the default in Tomcat 7, so this ID is
> essentially about an insecure default setting.
> For Tomcat 6 I don't esee the need to change the default (which might
> even break applications). Instead such settings should be taken into
> account when setting up a Tomcat site.
> For Squeeze you add a README.Debian or such pointing to the option
> and the recommendation to use the option?

I don't think we can update the Squeeze README for this anymore.

A note could be added to the sid version of tomcat6.

However, this is not a vulnerability, only extra hardening which is surely
useful but not a vulnerability in itself. I'm therefore downgrading this
bug to minor: the request to update the README.Debian.


More information about the pkg-java-maintainers mailing list