[SCM] tomcat6 packaging branch, master, updated. debian/6.0.35-4-1-g5b6a37d
tony mancill
tmancill at debian.org
Tue Aug 7 04:36:46 UTC 2012
The following commit has been merged in the master branch:
commit 5b6a37d39a37066b3f0d29692e1ebf38b00551f6
Author: tony mancill <tmancill at debian.org>
Date: Mon Aug 6 21:36:36 2012 -0700
apply patch to README.Debian for #608286
diff --git a/debian/README.Debian b/debian/README.Debian
index 6b72eab..5217a4c 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -25,6 +25,21 @@ Getting started:
wish. See the "man authbind" for information on configuring
authbind.
+SECURITY:
+
+Tomcat 6 session cookies are sent with the httponly flag disabled by default.
+It is recommended as a proactive security measure to turn this setting on
+to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen'
+via JavaScript, a common vector in such attacks.
+
+The httponly setting can be enabled by adding the useHttpOnly attribute
+to <Context> in /etc/tomcat6/context.xml:
+
+ <Context useHttpOnly="true">
+
+Httponly not being on by default is referred to as CVE-2010-4172.
+
+
NEWS:
tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
diff --git a/debian/changelog b/debian/changelog
index addd68d..9d1d66b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+tomcat6 (6.0.35-5) UNRELEASED; urgency=low
+
+ * Apply patch to README.Debian to explain setting the HTTPOnly flag
+ in cookies by default; CVE-2010-4312. (Closes: #608286)
+ - Thank you to Thijs Kinkhorst for the patch.
+
+ -- tony mancill <tmancill at debian.org> Mon, 06 Aug 2012 21:29:11 -0700
+
tomcat6 (6.0.35-4) unstable; urgency=low
[ tony mancill ]
--
tomcat6 packaging
More information about the pkg-java-commits
mailing list