Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
tony mancill
tmancill at debian.org
Tue Aug 7 04:37:36 UTC 2012
On 07/27/2012 04:08 AM, Thijs Kinkhorst wrote:
> Hi,
>
>>> However, this is not a vulnerability, only extra hardening which is
> surely
>>> useful but not a vulnerability in itself. I'm therefore downgrading this
>>> bug to minor: the request to update the README.Debian.
>
>> Thank you for looking into this bug. I shouldn't have let this one go
>> for so long, but honestly, I'm not sure about the text to add to the
>> package readme.
>
>> Can you propose appropriate wording to add to README.Debian. Would it
>> be sufficient to reference the CVE and include a link (say, to [1])?
>
> See attached patch for a change to README.Debian. I've tested it and
> confirmed that it has the desired effect.
>
> Please apply it to the repository; I'm not sure that a separate upload to
> wheezy is warranted for this but if you're going to make an upload before
> the release please be sure to include this aswell.
>
>
> Cheers,
> Thijs
Applied - thank you!
tony
More information about the pkg-java-maintainers
mailing list