Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

[tony mancill]

On 05/30/2012 05:30 AM, Thijs Kinkhorst wrote:
> severity 608286 minor
> thanks
> 
>> httpOnly has been made the default in Tomcat 7, so this ID is
>> essentially about an insecure default setting.
>>
>> For Tomcat 6 I don't esee the need to change the default (which might
>> even break applications). Instead such settings should be taken into
>> account when setting up a Tomcat site.
>>
>> For Squeeze you add a README.Debian or such pointing to the option
>> and the recommendation to use the option?
> 
> I don't think we can update the Squeeze README for this anymore.
> 
> A note could be added to the sid version of tomcat6.
> 
> However, this is not a vulnerability, only extra hardening which is surely
> useful but not a vulnerability in itself. I'm therefore downgrading this
> bug to minor: the request to update the README.Debian.

Thank you for looking into this bug.  I shouldn't have let this one go
for so long, but honestly, I'm not sure about the text to add to the
package readme.

Can you propose appropriate wording to add to README.Debian.  Would it
be sufficient to reference the CVE and include a link (say, to [1])?

Thank you,
tony

[1] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20120530/7602100c/attachment.pgp>