Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Fri, 27 Jul 2012 04:15:21 -0700 

Hi,

> > However, this is not a vulnerability, only extra hardening which is
surely
> > useful but not a vulnerability in itself. I'm therefore downgrading this
> > bug to minor: the request to update the README.Debian.

> Thank you for looking into this bug.  I shouldn't have let this one go
> for so long, but honestly, I'm not sure about the text to add to the
> package readme.

> Can you propose appropriate wording to add to README.Debian.  Would it
> be sufficient to reference the CVE and include a link (say, to [1])?

See attached patch for a change to README.Debian. I've tested it and
confirmed that it has the desired effect.

Please apply it to the repository; I'm not sure that a separate upload to
wheezy is warranted for this but if you're going to make an upload before
the release please be sure to include this aswell.


Cheers,
Thijs

>From dc6b6fd64005150321bc27ef118c986e845ebcc0 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <th...@debian.org>
Date: Fri, 27 Jul 2012 12:58:35 +0200
Subject: [PATCH] Add readme section to tell users about httponly cookies.

httponly session cookies are a useful proactive security measure to mitigate
against the effects of cross site scripting attacks by making the cookie
inaccessible from JavaScript code.

Tomcat 7 turns this on by default. Httponly not being on by default is
referred to as CVE-2010-4312.
---
 debian/README.Debian |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/debian/README.Debian b/debian/README.Debian
index 6b72eab..5217a4c 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -25,6 +25,21 @@ Getting started:
     wish.  See the "man authbind" for information on configuring
     authbind.
 
+SECURITY:
+
+Tomcat 6 session cookies are sent with the httponly flag disabled by default.
+It is recommended as a proactive security measure to turn this setting on
+to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen'
+via JavaScript, a common vector in such attacks.
+
+The httponly setting can be enabled by adding the useHttpOnly attribute
+to <Context> in /etc/tomcat6/context.xml:
+
+  <Context useHttpOnly="true">
+
+Httponly not being on by default is referred to as CVE-2010-4172.
+
+
 NEWS:
 
 tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
-- 
1.7.2.5

Reply via email to