Please support flags for Secure / HttpOnly Cookies
Bug #1118160 reported by
Jesse Pretorius
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| haproxy (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Bug Description
HAProxy contains a weakness due to not supporting certain security-related flags for cookies. By not supporting the 'Secure' or 'HttpOnly' cookies, applications behind the proxy become more susceptible to cookie stealing attacks.
The solution is to upgrade to version 1.5-DEV11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
More detail here: http://
Please work on updating the Ubuntu packages to v1.5 asap.
| description: | updated |
| information type: | Private Security → Public |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #1 |
| summary: |
- HAProxy Secure / HttpOnly Flag Cookie Weakness + Please support flags for Secure / HttpOnly Cookies |
| Changed in haproxy (Ubuntu): | |
| status: | New → Triaged |
Revision history for this message
| Mathew Hodson (mhodson) wrote | #2 |
| Changed in haproxy (Ubuntu): | |
| importance: | Undecided → Low |
| status: | Triaged → Fix Released |
| tags: | added: upgrade-software-version |
| information type: | Public → Public Security |
To post a comment you must log in.
Thank you for using Ubuntu and filing a bug.
This was a security feature that was added to 1.4.22. This doesn't seem like a vulnerability so much as a missing security feature. If you would like to have this in Ubuntu, I suggest creating, testing and submitting a patch to the development release as per https:/
For your reference, this is the commit in question for 1.4:
http://
and for 1.5:
http://