severity 608286 minor thanks > httpOnly has been made the default in Tomcat 7, so this ID is > essentially about an insecure default setting. > > For Tomcat 6 I don't esee the need to change the default (which might > even break applications). Instead such settings should be taken into > account when setting up a Tomcat site. > > For Squeeze you add a README.Debian or such pointing to the option > and the recommendation to use the option?
I don't think we can update the Squeeze README for this anymore. A note could be added to the sid version of tomcat6. However, this is not a vulnerability, only extra hardening which is surely useful but not a vulnerability in itself. I'm therefore downgrading this bug to minor: the request to update the README.Debian. Cheers, Thijs __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.