Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Wed Dec 29 19:39:07 UTC 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tags: patch

See http://svn.apache.org/viewvc?view=revision&revision=1037779

(sorry for double mail to pkg-java list)

On 2010-12-29 18:29, Giuseppe Iuculano wrote:
> Package: tomcat6
> Severity: serious
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat6.
>
> CVE-2010-4312[0]:
> | The default configuration of Apache Tomcat 6.x does not include the
> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
> | attackers to hijack a session via script access to a cookie.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
>     http://security-tracker.debian.org/tracker/CVE-2010-4312
>
>

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-java at lists.debian.org for discussions and questions.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJNG45bAAoJEAVLu599gGRCsJcP/R3YrrRytf8dwesNKXNo8Vcc
3HVxpbZ5Oz1lMK2djVEFzuyQNT9t7dTwCWDNj1ZL8XrOHDK6TOOcqXkRza8R/afM
dr1D6z5bDon6nmuf0KwilgNTRGbs81/UQRvqd/sKFz0jCYcuCHMTNjBk3L7Z2FEH
k5l1szLbxOAvzLlH6qMP1JnQ9YpPvHxTPNcBtIU9y1Aalx95pHvvYeuP2uUHi7pj
HJEKS9KgwDXubkJxgxJ4Ktq/vQTyqgqzvw9auzDIBFt2d+PBX97BDNShDHTz+KMU
14VS/jBoN3vr6/S6k5gwPnqJewjWx/pXhKpZHHwGtyzsWrw/XzE0OICa1aimbS6F
vWV5ySDih/touH1hq+yswmhjG+gNw5tJhXhZFrY2S/tt413AKj0/6OwfbhE385fj
wlNPRfp7BYPUeAzwVazDIb1M/QFzt30LMbRlEhrvUx7IWREp3OzQHWejEdZvCLUr
edsgHoSwfkY+F/IbyOhnOC4kUrmk5G8uwANiSxtuSET+eS60Zu/yRH5h+d48jYI+
zxFcP8qmEykC3+aLIuQmAa2b/w9i8eP+C1ON1+hfrCb0AzlDtfQcUw9nXkIeWhnE
opI/myehgiDWH3EqtjudRNd/iYsV4judEAHmrZhhc7cZQeLrJgpCzjbrToZRKLta
Qtw6KnJYFq5iYp0a0d9Y
=Kiiq
-----END PGP SIGNATURE-----