Yes the errata should be corrected.
Servlet 3.0 specification section 13.8 says:
If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication.
also in the HFSJ book at page 668 it's mentioned as:
If an <auth-constraint> does NOT exist, the Container MUST allow unauthenticated access for these URLs.
Then for combining constraints:
Servlet 3.0 Specification section 13.8.1 says:
A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access.
From this, its clear that the option D is correct.
But how to correct the errata? Should another errata be raised to correct it?