Thank you for using Ubuntu and filing a bug. This was a security feature that was added to 1.4.22. This doesn't seem like a vulnerability so much as a missing security feature. If you would like to have this in Ubuntu, I suggest creating, testing and submitting a patch to the development release as per https://wiki.ubuntu.com/SponsorshipProcess. If your would like to have this available in a stable release of Ubuntu, once your patch has been incorporated into the development release of Ubuntu, please follow https://wiki.ubuntu.com/StableReleaseUpdates.
For your reference, this is the commit in question for 1.4: http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=81e2376ab3d2ee3ee3e30f0ea7714c395a4f8ecb and for 1.5: http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=4992dd2d307aefd288379d2fefcf5a87b7631b75 ** Summary changed: - HAProxy Secure / HttpOnly Flag Cookie Weakness + Please support flags for Secure / HttpOnly Cookies ** Changed in: haproxy (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu High Availability Team, which is subscribed to haproxy in Ubuntu. https://bugs.launchpad.net/bugs/1118160 Title: Please support flags for Secure / HttpOnly Cookies Status in “haproxy” package in Ubuntu: Triaged Bug description: HAProxy contains a weakness due to not supporting certain security- related flags for cookies. By not supporting the 'Secure' or 'HttpOnly' cookies, applications behind the proxy become more susceptible to cookie stealing attacks. The solution is to upgrade to version 1.5-DEV11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. More detail here: http://osvdb.org/82768 Please work on updating the Ubuntu packages to v1.5 asap. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1118160/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-ha Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-ha More help : https://help.launchpad.net/ListHelp
