The default configuration of Apache Tomcat 6.x does not include the HTTPOnly
flag in a Set-Cookie header, which makes it easier for remote attackers to
hijack a session via script access to a cookie.
Can you punt anything <www-servers/tomcat-6.0.32-r2?
Ignoring comment #1, what's your plan here? I was unable to find a statement from upstream, but Red Hat's security team issued a statement:
(In reply to comment #1)
> Can you punt anything <www-servers/tomcat-6.0.32-r2?
done, except www-servers/tomcat-6.0.32-r2 has been never stable so it's gone too, remained www-servers/tomcat-6.0.32-r1 until www-servers/tomcat-6.0.33 is stabilized
no affected version in the tree anymore
This issue was resolved and addressed in
GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).