severity 608286 minor thanks > httpOnly has been made the default in Tomcat 7, so this ID is > essentially about an insecure default setting. > > For Tomcat 6 I don't esee the need to change the default (which might > even break applications). Instead such settings should be taken into > account when setting up a Tomcat site. > > For Squeeze you add a README.Debian or such pointing to the option > and the recommendation to use the option?
I don't think we can update the Squeeze README for this anymore. A note could be added to the sid version of tomcat6. However, this is not a vulnerability, only extra hardening which is surely useful but not a vulnerability in itself. I'm therefore downgrading this bug to minor: the request to update the README.Debian. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
