Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
jmm at inutil.org
Mon Jan 10 17:51:23 UTC 2011
On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote:
> FYI, we applied patches for that Apache upstream SVN revision as part of
> CVE-2010-4172. I reviewed the patch posted here , and we already
> have all of it except for this bit.
CVE-2010-4172 is fully fixed. MITRE later on assigned CVE-2010-4312
to this section from the original advisory:
> Users should be aware that Tomcat 6 does not use httpOnly for session
> cookies by default so this vulnerability could expose session cookies
> from the manager application to an attacker.
httpOnly has been made the default in Tomcat 7, so this ID is
essentially about an insecure default setting.
For Tomcat 6 I don't esee the need to change the default (which might
even break applications). Instead such settings should be taken into
account when setting up a Tomcat site.
For Squeeze you add a README.Debian or such pointing to the option
and the recommendation to use the option?
More information about the pkg-java-maintainers