> > However, this is not a vulnerability, only extra hardening which is
> > useful but not a vulnerability in itself. I'm therefore downgrading this
> > bug to minor: the request to update the README.Debian.
> Thank you for looking into this bug. I shouldn't have let this one go
> for so long, but honestly, I'm not sure about the text to add to the
> package readme.
> Can you propose appropriate wording to add to README.Debian. Would it
> be sufficient to reference the CVE and include a link (say, to )?
See attached patch for a change to README.Debian. I've tested it and
confirmed that it has the desired effect.
Please apply it to the repository; I'm not sure that a separate upload to
wheezy is warranted for this but if you're going to make an upload before
the release please be sure to include this aswell.
>From dc6b6fd64005150321bc27ef118c986e845ebcc0 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <th...@debian.org>
Date: Fri, 27 Jul 2012 12:58:35 +0200
Subject: [PATCH] Add readme section to tell users about httponly cookies.
httponly session cookies are a useful proactive security measure to mitigate
against the effects of cross site scripting attacks by making the cookie
Tomcat 7 turns this on by default. Httponly not being on by default is
referred to as CVE-2010-4312.
debian/README.Debian | 15 +++++++++++++++
1 files changed, 15 insertions(+), 0 deletions(-)
diff --git a/debian/README.Debian b/debian/README.Debian
index 6b72eab..5217a4c 100644
@@ -25,6 +25,21 @@ Getting started:
wish. See the "man authbind" for information on configuring
+Tomcat 6 session cookies are sent with the httponly flag disabled by default.
+It is recommended as a proactive security measure to turn this setting on
+to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen'
+The httponly setting can be enabled by adding the useHttpOnly attribute
+to <Context> in /etc/tomcat6/context.xml:
+ <Context useHttpOnly="true">
+Httponly not being on by default is referred to as CVE-2010-4172.
tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.