CVE-2010-4312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4312): The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
Can you punt anything <www-servers/tomcat-6.0.32-r2?
Ignoring comment #1, what's your plan here? I was unable to find a statement from upstream, but Red Hat's security team issued a statement: https://bugzilla.redhat.com/show_bug.cgi?id=658267
(In reply to comment #1) > Can you punt anything <www-servers/tomcat-6.0.32-r2? done, except www-servers/tomcat-6.0.32-r2 has been never stable so it's gone too, remained www-servers/tomcat-6.0.32-r1 until www-servers/tomcat-6.0.33 is stabilized
no affected version in the tree anymore
This issue was resolved and addressed in GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml by GLSA coordinator Tobias Heinlein (keytoaster).