Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
thijs at debian.org
Wed May 30 12:30:58 UTC 2012
severity 608286 minor
> httpOnly has been made the default in Tomcat 7, so this ID is
> essentially about an insecure default setting.
> For Tomcat 6 I don't esee the need to change the default (which might
> even break applications). Instead such settings should be taken into
> account when setting up a Tomcat site.
> For Squeeze you add a README.Debian or such pointing to the option
> and the recommendation to use the option?
I don't think we can update the Squeeze README for this anymore.
A note could be added to the sid version of tomcat6.
However, this is not a vulnerability, only extra hardening which is surely
useful but not a vulnerability in itself. I'm therefore downgrading this
bug to minor: the request to update the README.Debian.
More information about the pkg-java-maintainers