CVE-2010-4312: does not use HTTPOnly for session cookies by default

Debian Bug report logs - #608286
CVE-2010-4312: does not use HTTPOnly for session cookies by default

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Wed, 29 Dec 2010 18:29:40 +0100

Package: tomcat6
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for tomcat6.

CVE-2010-4312[0]:
| The default configuration of Apache Tomcat 6.x does not include the
| HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
| attackers to hijack a session via script access to a cookie.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
    http://security-tracker.debian.org/tracker/CVE-2010-4312


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0bcAIACgkQNxpp46476aob7wCeK2joFZ0VfbEB2bXj5TX1B3IC
DJQAoIO6Kda29+lblIBOTMgPm8xsTB5q
=/b1G
-----END PGP SIGNATURE-----

Message #10 received at 608286@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 608286@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Wed, 29 Dec 2010 20:39:07 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tags: patch

See http://svn.apache.org/viewvc?view=revision&revision=1037779

(sorry for double mail to pkg-java list)

On 2010-12-29 18:29, Giuseppe Iuculano wrote:
> Package: tomcat6
> Severity: serious
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat6.
>
> CVE-2010-4312[0]:
> | The default configuration of Apache Tomcat 6.x does not include the
> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
> | attackers to hijack a session via script access to a cookie.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
>     http://security-tracker.debian.org/tracker/CVE-2010-4312
>
>

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-java@lists.debian.org for discussions and questions.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJNG45bAAoJEAVLu599gGRCsJcP/R3YrrRytf8dwesNKXNo8Vcc
3HVxpbZ5Oz1lMK2djVEFzuyQNT9t7dTwCWDNj1ZL8XrOHDK6TOOcqXkRza8R/afM
dr1D6z5bDon6nmuf0KwilgNTRGbs81/UQRvqd/sKFz0jCYcuCHMTNjBk3L7Z2FEH
k5l1szLbxOAvzLlH6qMP1JnQ9YpPvHxTPNcBtIU9y1Aalx95pHvvYeuP2uUHi7pj
HJEKS9KgwDXubkJxgxJ4Ktq/vQTyqgqzvw9auzDIBFt2d+PBX97BDNShDHTz+KMU
14VS/jBoN3vr6/S6k5gwPnqJewjWx/pXhKpZHHwGtyzsWrw/XzE0OICa1aimbS6F
vWV5ySDih/touH1hq+yswmhjG+gNw5tJhXhZFrY2S/tt413AKj0/6OwfbhE385fj
wlNPRfp7BYPUeAzwVazDIb1M/QFzt30LMbRlEhrvUx7IWREp3OzQHWejEdZvCLUr
edsgHoSwfkY+F/IbyOhnOC4kUrmk5G8uwANiSxtuSET+eS60Zu/yRH5h+d48jYI+
zxFcP8qmEykC3+aLIuQmAa2b/w9i8eP+C1ON1+hfrCb0AzlDtfQcUw9nXkIeWhnE
opI/myehgiDWH3EqtjudRNd/iYsV4judEAHmrZhhc7cZQeLrJgpCzjbrToZRKLta
Qtw6KnJYFq5iYp0a0d9Y
=Kiiq
-----END PGP SIGNATURE-----

Message #17 received at 608286@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 608286@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Fri, 31 Dec 2010 07:57:13 -0800

[Message part 1 (text/plain, inline)]

FYI, we applied patches for that Apache upstream SVN revision as part of
CVE-2010-4172.  I reviewed the patch posted here [0], and we already
have all of it except for this bit.

@@ -54,7 +56,7 @@
</tr>
<tr>
<th>Guessed Locale</th>
- - <td><%= JspHelper.guessDisplayLocaleFromSession(currentSession)
%></td>
+ <td><%=
JspHelper.escapeXml(JspHelper.guessDisplayLocaleFromSession(currentSessi
on))
%></td>
</tr>
<tr>
<th>Guessed User</th>


I'll prepare an upload that includes this patch, but otherwise I believe
we've already addressed this due to the overlap of the response with
CVE-2010-4172.

Thank you,
tony

[0] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded


On 12/29/2010 11:39 AM, Niels Thykier wrote:
> Tags: patch
> 
> See http://svn.apache.org/viewvc?view=revision&revision=1037779
> 
> (sorry for double mail to pkg-java list)
> 
> On 2010-12-29 18:29, Giuseppe Iuculano wrote:
>> Package: tomcat6
>> Severity: serious
>> Tags: security
> 
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for tomcat6.
> 
>> CVE-2010-4312[0]:
>> | The default configuration of Apache Tomcat 6.x does not include the
>> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
>> | attackers to hijack a session via script access to a cookie.
> 
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
> 
>> For further information see:
> 
>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
>>     http://security-tracker.debian.org/tracker/CVE-2010-4312
> 
> 
> 
> __
> This is the maintainer address of Debian's Java team
> <http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
> Please use
> debian-java@lists.debian.org for discussions and questions.
> 
> 

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-java@lists.debian.org for discussions and questions.

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 608286@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Giuseppe Iuculano <iuculano@debian.org>, 608286@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Tue, 4 Jan 2011 21:22:16 +0100

[Message part 1 (text/plain, inline)]

user release.debian.org@packages.debian.org
usertag 608286 squeeze-can-defer
tag 608286 squeeze-ignore
kthxbye

On Wed, Dec 29, 2010 at 18:29:40 +0100, Giuseppe Iuculano wrote:

> Package: tomcat6
> Severity: serious
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tomcat6.
> 
> CVE-2010-4312[0]:
> | The default configuration of Apache Tomcat 6.x does not include the
> | HTTPOnly flag in a Set-Cookie header, which makes it easier for remote
> | attackers to hijack a session via script access to a cookie.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4312
>     http://security-tracker.debian.org/tracker/CVE-2010-4312
> 
This can be fixed through squeeze-security if it's not ready for
squeeze, so tagging as -can-defer.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 608286@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: tony mancill <tmancill@debian.org>

Cc: 608286@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Mon, 10 Jan 2011 18:51:23 +0100

On Fri, Dec 31, 2010 at 07:57:13AM -0800, tony mancill wrote:
> FYI, we applied patches for that Apache upstream SVN revision as part of
> CVE-2010-4172.  I reviewed the patch posted here [0], and we already
> have all of it except for this bit.

CVE-2010-4172 is fully fixed. MITRE later on assigned CVE-2010-4312
to this section from the original advisory:

> Users should be aware that Tomcat 6 does not use httpOnly for session
> cookies by default so this vulnerability could expose session cookies
> from the manager application to an attacker.

httpOnly has been made the default in Tomcat 7, so this ID is
essentially about an insecure default setting.

For Tomcat 6 I don't esee the need to change the default (which might 
even break applications). Instead such settings should be taken into 
account when setting up a Tomcat site.

For Squeeze you add a README.Debian or such pointing to the option
and the recommendation to use the option?

Cheers,
        Moritz

Message #34 received at 608286@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 608286@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Wed, 30 May 2012 14:30:58 +0200

severity 608286 minor
thanks

> httpOnly has been made the default in Tomcat 7, so this ID is
> essentially about an insecure default setting.
>
> For Tomcat 6 I don't esee the need to change the default (which might
> even break applications). Instead such settings should be taken into
> account when setting up a Tomcat site.
>
> For Squeeze you add a README.Debian or such pointing to the option
> and the recommendation to use the option?

I don't think we can update the Squeeze README for this anymore.

A note could be added to the sid version of tomcat6.

However, this is not a vulnerability, only extra hardening which is surely
useful but not a vulnerability in itself. I'm therefore downgrading this
bug to minor: the request to update the README.Debian.


Cheers,
Thijs

Message #41 received at 608286@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>, 608286@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Wed, 30 May 2012 22:48:36 -0700

[Message part 1 (text/plain, inline)]

On 05/30/2012 05:30 AM, Thijs Kinkhorst wrote:
> severity 608286 minor
> thanks
> 
>> httpOnly has been made the default in Tomcat 7, so this ID is
>> essentially about an insecure default setting.
>>
>> For Tomcat 6 I don't esee the need to change the default (which might
>> even break applications). Instead such settings should be taken into
>> account when setting up a Tomcat site.
>>
>> For Squeeze you add a README.Debian or such pointing to the option
>> and the recommendation to use the option?
> 
> I don't think we can update the Squeeze README for this anymore.
> 
> A note could be added to the sid version of tomcat6.
> 
> However, this is not a vulnerability, only extra hardening which is surely
> useful but not a vulnerability in itself. I'm therefore downgrading this
> bug to minor: the request to update the README.Debian.

Thank you for looking into this bug.  I shouldn't have let this one go
for so long, but honestly, I'm not sure about the text to add to the
package readme.

Can you propose appropriate wording to add to README.Debian.  Would it
be sufficient to reference the CVE and include a link (say, to [1])?

Thank you,
tony

[1] http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded

[signature.asc (application/pgp-signature, attachment)]

Message #46 received at 608286@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 608286@bugs.debian.org

Subject: Re: Bug#608286: CVE-2010-4312: does not use HTTPOnly for session cookies by default

Date: Fri, 27 Jul 2012 13:08:50 +0200

[Message part 1 (text/plain, inline)]

Hi,

> > However, this is not a vulnerability, only extra hardening which is
surely
> > useful but not a vulnerability in itself. I'm therefore downgrading this
> > bug to minor: the request to update the README.Debian.

> Thank you for looking into this bug.  I shouldn't have let this one go
> for so long, but honestly, I'm not sure about the text to add to the
> package readme.

> Can you propose appropriate wording to add to README.Debian.  Would it
> be sufficient to reference the CVE and include a link (say, to [1])?

See attached patch for a change to README.Debian. I've tested it and
confirmed that it has the desired effect.

Please apply it to the repository; I'm not sure that a separate upload to
wheezy is warranted for this but if you're going to make an upload before
the release please be sure to include this aswell.


Cheers,
Thijs

[0001-Add-readme-section-to-tell-users-about-httponly-cook.patch (text/x-diff, attachment)]

Message #53 received at 608286-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 608286-close@bugs.debian.org

Subject: Bug#608286: fixed in tomcat6 6.0.35-5

Date: Tue, 25 Sep 2012 03:03:03 +0000

Source: tomcat6
Source-Version: 6.0.35-5

We believe that the bug you reported is fixed in the latest version of
tomcat6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 608286@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated tomcat6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Aug 2012 21:29:11 -0700
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.4-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs tomcat6-extras
Architecture: source all
Version: 6.0.35-5
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description: 
 libservlet2.4-java - Transitional package for libservlet2.5-java
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
 libtomcat6-java - Servlet and JSP engine -- core libraries
 tomcat6    - Servlet and JSP engine
 tomcat6-admin - Servlet and JSP engine -- admin web applications
 tomcat6-common - Servlet and JSP engine -- common files
 tomcat6-docs - Servlet and JSP engine -- documentation
 tomcat6-examples - Servlet and JSP engine -- example web applications
 tomcat6-extras - Servlet and JSP engine -- additional components
 tomcat6-user - Servlet and JSP engine -- tools to create user instances
Closes: 608286 687818
Changes: 
 tomcat6 (6.0.35-5) unstable; urgency=low
 .
   * Apply patch to README.Debian to explain setting the HTTPOnly flag
     in cookies by default; CVE-2010-4312. (Closes: #608286)
     - Thank you to Thijs Kinkhorst for the patch.
   * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
     updating the shipped conffile. (Closes: #687818)
Checksums-Sha1: 
 0dacc4c39e56c9083373c859963e2a729ce97ee6 2692 tomcat6_6.0.35-5.dsc
 f4ccffa74d7cdf7525e65a7adb20b5a085ec5bca 45421 tomcat6_6.0.35-5.debian.tar.gz
 b26c20ea57899b1d30cf52ba24670a8ca5ed19c3 52626 tomcat6-common_6.0.35-5_all.deb
 11a62d026f39333aa58dc2030370c8a8a4969dae 40372 tomcat6_6.0.35-5_all.deb
 7e0cb554fff24c4ed6d8ced0d540814ace3ddba2 31236 tomcat6-user_6.0.35-5_all.deb
 4ef10c1f7e6f6929ccb3c0a4907c2bb151e46ea2 3100452 libtomcat6-java_6.0.35-5_all.deb
 1152c6cf36b081cadc3122772ca0644b49be9d45 13176 libservlet2.4-java_6.0.35-5_all.deb
 2c484a8c73bdfe02080a161dcd0dc781e7c8975c 195942 libservlet2.5-java_6.0.35-5_all.deb
 9145b05424ce4563d6ad38c432736b7c03b08873 255422 libservlet2.5-java-doc_6.0.35-5_all.deb
 3b4e06aa11c10fc213d47b57df0b177a7b79083d 48170 tomcat6-admin_6.0.35-5_all.deb
 aeb337489ed62ab28349389e8273655219de8f37 163128 tomcat6-examples_6.0.35-5_all.deb
 05e665fc389b90155437e10f9ae1214ea2d16e1d 567540 tomcat6-docs_6.0.35-5_all.deb
 6d55c77f58a1db078953d83880b02a1491ed0245 13376 tomcat6-extras_6.0.35-5_all.deb
Checksums-Sha256: 
 a6aa73ff380c54129d46f48def1db75b4a490d37f9ae5384e9024b99077e2cf0 2692 tomcat6_6.0.35-5.dsc
 f3772ca546a6908f028506ef8c185a36ff50deff146ddf16689701935210c5a1 45421 tomcat6_6.0.35-5.debian.tar.gz
 86ecfb1a2612536f13631ba6c3ca53834542088e877eec93d0280ade64c1ec78 52626 tomcat6-common_6.0.35-5_all.deb
 605dba0d1e3150ec254a43204854dd565fca130c7216b824941c3f8cc3a283f3 40372 tomcat6_6.0.35-5_all.deb
 2067a756e1b8b68b5425aea03cb1ceddd33267cd957cd0d7d4bddb730eb8f21e 31236 tomcat6-user_6.0.35-5_all.deb
 dc69d38b2e2e55a888c2db19f1626615706664cd738e148cb2f7efa7612eeb86 3100452 libtomcat6-java_6.0.35-5_all.deb
 cda7b9dae83695db697fdee4d524713844000f1610aad3300b234c3971a8fd7b 13176 libservlet2.4-java_6.0.35-5_all.deb
 9ebbe0210c1f0acba33b7bed5cfbdaaedf3a4496744b74efd91b2bada37db04c 195942 libservlet2.5-java_6.0.35-5_all.deb
 cc56b4be531b0fe4873b43b3f5b4ba426b6fe6089548f30197180e4c98192709 255422 libservlet2.5-java-doc_6.0.35-5_all.deb
 7fdbefe61ba0479d109e108badfe0f70def150df0ff0aa5ae06437a9639cb9f9 48170 tomcat6-admin_6.0.35-5_all.deb
 5910eb8de040d1e7288bf358cb9303cec17aec655c7b4b5c2ebd71ed9a8c4c9f 163128 tomcat6-examples_6.0.35-5_all.deb
 467f0fe3176e202fed24f4f80dca3223068d020e2c8b5fa6a186504bd9fe87aa 567540 tomcat6-docs_6.0.35-5_all.deb
 76f88f1b56935e2e005d39f6decd5e8cbce1b9817aaa37ee673b19bf4e1d9768 13376 tomcat6-extras_6.0.35-5_all.deb
Files: 
 8f9e0b5614d3f1ca75dac030bdcfedb0 2692 java optional tomcat6_6.0.35-5.dsc
 76736d84090bdd27baa0d4ab019f528d 45421 java optional tomcat6_6.0.35-5.debian.tar.gz
 72b85a127e23dcc193a99d91550e42f3 52626 java optional tomcat6-common_6.0.35-5_all.deb
 dc2d03144173e0012ee704d1f9bd6635 40372 java optional tomcat6_6.0.35-5_all.deb
 28a78599184b813975cfe665bb755222 31236 java optional tomcat6-user_6.0.35-5_all.deb
 ef074df6b044f162a876dd4167e16c85 3100452 java optional libtomcat6-java_6.0.35-5_all.deb
 8cd125decbd763d3ddbe930ff256347e 13176 oldlibs extra libservlet2.4-java_6.0.35-5_all.deb
 860511863656fe921db1b869ab425500 195942 java optional libservlet2.5-java_6.0.35-5_all.deb
 aad528fd1b21283f83c9e4c4ce3ab128 255422 doc optional libservlet2.5-java-doc_6.0.35-5_all.deb
 0c13736a1a4dc6e979396af39eec37d4 48170 java optional tomcat6-admin_6.0.35-5_all.deb
 924dcf672c42b5673cdbd2d9baa27738 163128 java optional tomcat6-examples_6.0.35-5_all.deb
 5e483f311db4bd710ece8d19093d2d6a 567540 doc optional tomcat6-docs_6.0.35-5_all.deb
 26a9bedcf363d5e38e5c11b1739fdf57 13376 java optional tomcat6-extras_6.0.35-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQYRrFAAoJECHSBYmXSz6WijwP/23hj9xemZAKhkgOw3PZhpie
PYkcx3ukiP+fRkNLA/AKiR1GdkKWqTl+PGfrDiW0R+YhS6CR+eM/zzK5GAMQc1aI
o0/flz4arAHvXeIZ3Jt78qyEcd6+elevdGi6H+bPENRAx+eoZF7YVD/EChNNs6Tm
5mLK0pEGuC4XHK8wHaCKM8Aatpng4Fnxy0fTuCdJNoVbSbxRoaJTvm4ObNObcA2w
Ve4RUYTfXlXcsEzQvAwUh4kij4bK0hzvONsIrEKOX3X2cE4s4YrkoC2iDOAQMUjI
djwIX6G6vD4IZZOWiPpB27UZssxAscP/RYIdZyZwm2GloaMZQ1bIK89yzSVAXSdY
QYyR9d/XYqVF9C7cEsHOaAg8MnP2fkcqXTmDSjzok9rfGFOngO5gBQCsZJ9gDv7L
CE3dm8/GJV7j/GDPfq30F0uPeb+rQDqOX1pUqc3dOwhXvn9EtJ3duHhJuaCy19le
G1cjW2/394s/iDtWwY9bTloqPitIKltoqdgbYaat9rChTMVbsFY0i8ooKxOO+d5f
T4RO76C5ak/3lrKkCwpY/OfSeW2LRsS7BDFPIZDCuAP+Gb/lhjbOn0ta22CDbZkK
rmqqCzUtsuhliWF1WK/vMEoN970xw0JZF0yDdLWgSnZG1B2A276gRfF7vRnYHKpk
MYQhXtDfKFXe0p60J7ya
=93Ee
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.