Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Hi, > > However, this is not a vulnerability, only extra hardening which is surely > > useful but not a vulnerability in itself. I'm therefore downgrading this > > bug to minor: the request to update the README.Debian. > Thank you for looking into this bug. I shouldn't have let this one go > for

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

On 05/30/2012 05:30 AM, Thijs Kinkhorst wrote: > severity 608286 minor > thanks > >> httpOnly has been made the default in Tomcat 7, so this ID is >> essentially about an insecure default setting. >> >> For Tomcat 6 I don't esee the need to change the default (which might >> even break application

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

severity 608286 minor thanks > httpOnly has been made the default in Tomcat 7, so this ID is > essentially about an insecure default setting. > > For Tomcat 6 I don't esee the need to change the default (which might > even break applications). Instead such settings should be taken into > account w

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote: > FYI, we applied patches for that Apache upstream SVN revision as part of > CVE-2010-4172. I reviewed the patch posted here [0], and we already > have all of it except for this bit. CVE-2010-4172 is fully fixed. MITRE later on assigne

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

user release.debian@packages.debian.org usertag 608286 squeeze-can-defer tag 608286 squeeze-ignore kthxbye On Wed, Dec 29, 2010 at 18:29:40 +0100, Giuseppe Iuculano wrote: > Package: tomcat6 > Severity: serious > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures)

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

FYI, we applied patches for that Apache upstream SVN revision as part of CVE-2010-4172. I reviewed the patch posted here [0], and we already have all of it except for this bit. @@ -54,7 +56,7 @@ Guessed Locale - - <%= JspHelper.guessDisplayLocaleFromSession(currentSession) %> + <%= JspHelper.es

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tags: patch See http://svn.apache.org/viewvc?view=revision&revision=1037779 (sorry for double mail to pkg-java list) On 2010-12-29 18:29, Giuseppe Iuculano wrote: > Package: tomcat6 > Severity: serious > Tags: security > > Hi, > the following CVE

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Package: tomcat6 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for tomcat6. CVE-2010-4312[0]: | The default configuration of Apache Tomcat 6.x does not include the | HTTPOnly flag in a Se