Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

tony mancill tmancill at debian.org
Thu May 31 05:48:36 UTC 2012

On 05/30/2012 05:30 AM, Thijs Kinkhorst wrote:
> severity 608286 minor
> thanks
>> httpOnly has been made the default in Tomcat 7, so this ID is
>> essentially about an insecure default setting.
>> For Tomcat 6 I don't esee the need to change the default (which might
>> even break applications). Instead such settings should be taken into
>> account when setting up a Tomcat site.
>> For Squeeze you add a README.Debian or such pointing to the option
>> and the recommendation to use the option?
> I don't think we can update the Squeeze README for this anymore.
> A note could be added to the sid version of tomcat6.
> However, this is not a vulnerability, only extra hardening which is surely
> useful but not a vulnerability in itself. I'm therefore downgrading this
> bug to minor: the request to update the README.Debian.

Thank you for looking into this bug.  I shouldn't have let this one go
for so long, but honestly, I'm not sure about the text to add to the
package readme.

Can you propose appropriate wording to add to README.Debian.  Would it
be sufficient to reference the CVE and include a link (say, to [1])?

Thank you,

[1] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20120530/7602100c/attachment.pgp>

More information about the pkg-java-maintainers mailing list