Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
On 07/27/2012 04:08 AM, Thijs Kinkhorst wrote: Hi, However, this is not a vulnerability, only extra hardening which is surely useful but not a vulnerability in itself. I'm therefore downgrading this bug to minor: the request to update the README.Debian. Thank you for looking into this bug. I shouldn't have let this one go for so long, but honestly, I'm not sure about the text to add to the package readme. Can you propose appropriate wording to add to README.Debian. Would it be sufficient to reference the CVE and include a link (say, to [1])? See attached patch for a change to README.Debian. I've tested it and confirmed that it has the desired effect. Please apply it to the repository; I'm not sure that a separate upload to wheezy is warranted for this but if you're going to make an upload before the release please be sure to include this aswell. Cheers, Thijs Applied - thank you! tony __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
Hi, However, this is not a vulnerability, only extra hardening which is surely useful but not a vulnerability in itself. I'm therefore downgrading this bug to minor: the request to update the README.Debian. Thank you for looking into this bug. I shouldn't have let this one go for so long, but honestly, I'm not sure about the text to add to the package readme. Can you propose appropriate wording to add to README.Debian. Would it be sufficient to reference the CVE and include a link (say, to [1])? See attached patch for a change to README.Debian. I've tested it and confirmed that it has the desired effect. Please apply it to the repository; I'm not sure that a separate upload to wheezy is warranted for this but if you're going to make an upload before the release please be sure to include this aswell. Cheers, Thijs From dc6b6fd64005150321bc27ef118c986e845ebcc0 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst th...@debian.org Date: Fri, 27 Jul 2012 12:58:35 +0200 Subject: [PATCH] Add readme section to tell users about httponly cookies. httponly session cookies are a useful proactive security measure to mitigate against the effects of cross site scripting attacks by making the cookie inaccessible from JavaScript code. Tomcat 7 turns this on by default. Httponly not being on by default is referred to as CVE-2010-4312. --- debian/README.Debian | 15 +++ 1 files changed, 15 insertions(+), 0 deletions(-) diff --git a/debian/README.Debian b/debian/README.Debian index 6b72eab..5217a4c 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -25,6 +25,21 @@ Getting started: wish. See the man authbind for information on configuring authbind. +SECURITY: + +Tomcat 6 session cookies are sent with the httponly flag disabled by default. +It is recommended as a proactive security measure to turn this setting on +to mitigate cross site scripting attacks: httponly cookies cannot be 'stolen' +via JavaScript, a common vector in such attacks. + +The httponly setting can be enabled by adding the useHttpOnly attribute +to Context in /etc/tomcat6/context.xml: + + Context useHttpOnly=true + +Httponly not being on by default is referred to as CVE-2010-4172. + + NEWS: tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low -- 1.7.2.5 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
severity 608286 minor thanks httpOnly has been made the default in Tomcat 7, so this ID is essentially about an insecure default setting. For Tomcat 6 I don't esee the need to change the default (which might even break applications). Instead such settings should be taken into account when setting up a Tomcat site. For Squeeze you add a README.Debian or such pointing to the option and the recommendation to use the option? I don't think we can update the Squeeze README for this anymore. A note could be added to the sid version of tomcat6. However, this is not a vulnerability, only extra hardening which is surely useful but not a vulnerability in itself. I'm therefore downgrading this bug to minor: the request to update the README.Debian. Cheers, Thijs __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
Processing commands for cont...@bugs.debian.org: severity 608286 minor Bug #608286 [tomcat6] CVE-2010-4312: does not use HTTPOnly for session cookies by default Severity set to 'minor' from 'serious' thanks Stopping processing here. Please contact me if you need assistance. -- 608286: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
On 05/30/2012 05:30 AM, Thijs Kinkhorst wrote: severity 608286 minor thanks httpOnly has been made the default in Tomcat 7, so this ID is essentially about an insecure default setting. For Tomcat 6 I don't esee the need to change the default (which might even break applications). Instead such settings should be taken into account when setting up a Tomcat site. For Squeeze you add a README.Debian or such pointing to the option and the recommendation to use the option? I don't think we can update the Squeeze README for this anymore. A note could be added to the sid version of tomcat6. However, this is not a vulnerability, only extra hardening which is surely useful but not a vulnerability in itself. I'm therefore downgrading this bug to minor: the request to update the README.Debian. Thank you for looking into this bug. I shouldn't have let this one go for so long, but honestly, I'm not sure about the text to add to the package readme. Can you propose appropriate wording to add to README.Debian. Would it be sufficient to reference the CVE and include a link (say, to [1])? Thank you, tony [1] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote: FYI, we applied patches for that Apache upstream SVN revision as part of CVE-2010-4172. I reviewed the patch posted here [0], and we already have all of it except for this bit. CVE-2010-4172 is fully fixed. MITRE later on assigned CVE-2010-4312 to this section from the original advisory: Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker. httpOnly has been made the default in Tomcat 7, so this ID is essentially about an insecure default setting. For Tomcat 6 I don't esee the need to change the default (which might even break applications). Instead such settings should be taken into account when setting up a Tomcat site. For Squeeze you add a README.Debian or such pointing to the option and the recommendation to use the option? Cheers, Moritz __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
user release.debian@packages.debian.org usertag 608286 squeeze-can-defer tag 608286 squeeze-ignore kthxbye On Wed, Dec 29, 2010 at 18:29:40 +0100, Giuseppe Iuculano wrote: Package: tomcat6 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for tomcat6. CVE-2010-4312[0]: | The default configuration of Apache Tomcat 6.x does not include the | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote | attackers to hijack a session via script access to a cookie. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312 http://security-tracker.debian.org/tracker/CVE-2010-4312 This can be fixed through squeeze-security if it's not ready for squeeze, so tagging as -can-defer. Cheers, Julien signature.asc Description: Digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
Processing commands for cont...@bugs.debian.org: user release.debian@packages.debian.org Setting user to release.debian@packages.debian.org (was jcris...@debian.org). usertag 608286 squeeze-can-defer Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default There were no usertags set. Usertags are now: squeeze-can-defer. tag 608286 squeeze-ignore Bug #608286 [tomcat6] CVE-2010-4312: does not use HTTPOnly for session cookies by default Added tag(s) squeeze-ignore. kthxbye Stopping processing here. Please contact me if you need assistance. -- 608286: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tags: patch See http://svn.apache.org/viewvc?view=revisionrevision=1037779 (sorry for double mail to pkg-java list) On 2010-12-29 18:29, Giuseppe Iuculano wrote: Package: tomcat6 Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for tomcat6. CVE-2010-4312[0]: | The default configuration of Apache Tomcat 6.x does not include the | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote | attackers to hijack a session via script access to a cookie. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312 http://security-tracker.debian.org/tracker/CVE-2010-4312 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJNG45bAAoJEAVLu599gGRCsJcP/R3YrrRytf8dwesNKXNo8Vcc 3HVxpbZ5Oz1lMK2djVEFzuyQNT9t7dTwCWDNj1ZL8XrOHDK6TOOcqXkRza8R/afM dr1D6z5bDon6nmuf0KwilgNTRGbs81/UQRvqd/sKFz0jCYcuCHMTNjBk3L7Z2FEH k5l1szLbxOAvzLlH6qMP1JnQ9YpPvHxTPNcBtIU9y1Aalx95pHvvYeuP2uUHi7pj HJEKS9KgwDXubkJxgxJ4Ktq/vQTyqgqzvw9auzDIBFt2d+PBX97BDNShDHTz+KMU 14VS/jBoN3vr6/S6k5gwPnqJewjWx/pXhKpZHHwGtyzsWrw/XzE0OICa1aimbS6F vWV5ySDih/touH1hq+yswmhjG+gNw5tJhXhZFrY2S/tt413AKj0/6OwfbhE385fj wlNPRfp7BYPUeAzwVazDIb1M/QFzt30LMbRlEhrvUx7IWREp3OzQHWejEdZvCLUr edsgHoSwfkY+F/IbyOhnOC4kUrmk5G8uwANiSxtuSET+eS60Zu/yRH5h+d48jYI+ zxFcP8qmEykC3+aLIuQmAa2b/w9i8eP+C1ON1+hfrCb0AzlDtfQcUw9nXkIeWhnE opI/myehgiDWH3EqtjudRNd/iYsV4judEAHmrZhhc7cZQeLrJgpCzjbrToZRKLta Qtw6KnJYFq5iYp0a0d9Y =Kiiq -END PGP SIGNATURE- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.