FYI, we applied patches for that Apache upstream SVN revision as part of CVE-2010-4172. I reviewed the patch posted here [0], and we already have all of it except for this bit.
@@ -54,7 +56,7 @@ </tr> <tr> <th>Guessed Locale</th> - - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession) %></td> + <td><%= JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSessi on)) %></td> </tr> <tr> <th>Guessed User</th> I'll prepare an upload that includes this patch, but otherwise I believe we've already addressed this due to the overlap of the response with CVE-2010-4172. Thank you, tony [0] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded On 12/29/2010 11:39 AM, Niels Thykier wrote: > Tags: patch > > See http://svn.apache.org/viewvc?view=revision&revision=1037779 > > (sorry for double mail to pkg-java list) > > On 2010-12-29 18:29, Giuseppe Iuculano wrote: >> Package: tomcat6 >> Severity: serious >> Tags: security > >> Hi, >> the following CVE (Common Vulnerabilities & Exposures) id was >> published for tomcat6. > >> CVE-2010-4312[0]: >> | The default configuration of Apache Tomcat 6.x does not include the >> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote >> | attackers to hijack a session via script access to a cookie. > >> If you fix the vulnerability please also make sure to include the >> CVE id in your changelog entry. > >> For further information see: > >> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312 >> http://security-tracker.debian.org/tracker/CVE-2010-4312 > > > > __ > This is the maintainer address of Debian's Java team > <http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. > Please use > [email protected] for discussions and questions. > > __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
