Hi, > > However, this is not a vulnerability, only extra hardening which is surely > > useful but not a vulnerability in itself. I'm therefore downgrading this > > bug to minor: the request to update the README.Debian.
> Thank you for looking into this bug. I shouldn't have let this one go > for so long, but honestly, I'm not sure about the text to add to the > package readme. > Can you propose appropriate wording to add to README.Debian. Would it > be sufficient to reference the CVE and include a link (say, to [1])? See attached patch for a change to README.Debian. I've tested it and confirmed that it has the desired effect. Please apply it to the repository; I'm not sure that a separate upload to wheezy is warranted for this but if you're going to make an upload before the release please be sure to include this aswell. Cheers, Thijs
>From dc6b6fd64005150321bc27ef118c986e845ebcc0 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst <th...@debian.org> Date: Fri, 27 Jul 2012 12:58:35 +0200 Subject: [PATCH] Add readme section to tell users about httponly cookies. httponly session cookies are a useful proactive security measure to mitigate against the effects of cross site scripting attacks by making the cookie inaccessible from JavaScript code. Tomcat 7 turns this on by default. Httponly not being on by default is referred to as CVE-2010-4312. --- debian/README.Debian | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) diff --git a/debian/README.Debian b/debian/README.Debian index 6b72eab..5217a4c 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -25,6 +25,21 @@ Getting started: wish. See the "man authbind" for information on configuring authbind. +SECURITY: + +Tomcat 6 session cookies are sent with the httponly flag disabled by default. +It is recommended as a proactive security measure to turn this setting on +to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen' +via JavaScript, a common vector in such attacks. + +The httponly setting can be enabled by adding the useHttpOnly attribute +to <Context> in /etc/tomcat6/context.xml: + + <Context useHttpOnly="true"> + +Httponly not being on by default is referred to as CVE-2010-4172. + + NEWS: tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low -- 1.7.2.5