Processed: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Processing commands for cont...@bugs.debian.org: > severity 608286 minor Bug #608286 [tomcat6] CVE-2010-4312: does not use HTTPOnly for session cookies by default Severity set to 'minor' from 'serious' > thanks Stopping processing here. Please contact me if you need assistance. -- 608286: http:

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

severity 608286 minor thanks > httpOnly has been made the default in Tomcat 7, so this ID is > essentially about an insecure default setting. > > For Tomcat 6 I don't esee the need to change the default (which might > even break applications). Instead such settings should be taken into > account w

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote: > FYI, we applied patches for that Apache upstream SVN revision as part of > CVE-2010-4172. I reviewed the patch posted here [0], and we already > have all of it except for this bit. CVE-2010-4172 is fully fixed. MITRE later on assigne

Processed: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Processing commands for cont...@bugs.debian.org: > user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was jcris...@debian.org). > usertag 608286 squeeze-can-defer Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by d

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

user release.debian@packages.debian.org usertag 608286 squeeze-can-defer tag 608286 squeeze-ignore kthxbye On Wed, Dec 29, 2010 at 18:29:40 +0100, Giuseppe Iuculano wrote: > Package: tomcat6 > Severity: serious > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures)

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

FYI, we applied patches for that Apache upstream SVN revision as part of CVE-2010-4172. I reviewed the patch posted here [0], and we already have all of it except for this bit. @@ -54,7 +56,7 @@ Guessed Locale - - <%= JspHelper.guessDisplayLocaleFromSession(currentSession) %> + <%= JspHelper.es

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tags: patch See http://svn.apache.org/viewvc?view=revision&revision=1037779 (sorry for double mail to pkg-java list) On 2010-12-29 18:29, Giuseppe Iuculano wrote: > Package: tomcat6 > Severity: serious > Tags: security > > Hi, > the following CVE

Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Package: tomcat6 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for tomcat6. CVE-2010-4312[0]: | The default configuration of Apache Tomcat 6.x does not include the | HTTPOnly flag in a Se