Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
Thijs Kinkhorst
thijs at debian.org
Fri Jul 27 11:08:50 UTC 2012
Hi,
> > However, this is not a vulnerability, only extra hardening which is
surely
> > useful but not a vulnerability in itself. I'm therefore downgrading this
> > bug to minor: the request to update the README.Debian.
> Thank you for looking into this bug. I shouldn't have let this one go
> for so long, but honestly, I'm not sure about the text to add to the
> package readme.
> Can you propose appropriate wording to add to README.Debian. Would it
> be sufficient to reference the CVE and include a link (say, to [1])?
See attached patch for a change to README.Debian. I've tested it and
confirmed that it has the desired effect.
Please apply it to the repository; I'm not sure that a separate upload to
wheezy is warranted for this but if you're going to make an upload before
the release please be sure to include this aswell.
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-readme-section-to-tell-users-about-httponly-cook.patch
Type: text/x-diff
Size: 1464 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20120727/4c5d3881/attachment.patch>
More information about the pkg-java-maintainers
mailing list