Please support flags for Secure / HttpOnly Cookies
Bug #1118160 reported by
Jesse Pretorius
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
haproxy (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
HAProxy contains a weakness due to not supporting certain security-related flags for cookies. By not supporting the 'Secure' or 'HttpOnly' cookies, applications behind the proxy become more susceptible to cookie stealing attacks.
The solution is to upgrade to version 1.5-DEV11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
More detail here: http://
Please work on updating the Ubuntu packages to v1.5 asap.
description: | updated |
information type: | Private Security → Public |
information type: | Public → Public Security |
To post a comment you must log in.
Thank you for using Ubuntu and filing a bug.
This was a security feature that was added to 1.4.22. This doesn't seem like a vulnerability so much as a missing security feature. If you would like to have this in Ubuntu, I suggest creating, testing and submitting a patch to the development release as per https:/ /wiki.ubuntu. com/Sponsorship Process. If your would like to have this available in a stable release of Ubuntu, once your patch has been incorporated into the development release of Ubuntu, please follow https:/ /wiki.ubuntu. com/StableRelea seUpdates.
For your reference, this is the commit in question for 1.4: haproxy. 1wt.eu/ git?p=haproxy- 1.4.git; a=commit; h=81e2376ab3d2e e3ee3e30f0ea771 4c395a4f8ecb
http://
and for 1.5: haproxy. 1wt.eu/ git?p=haproxy. git;a=commit; h=4992dd2d307ae fd288379d2fefcf 5a87b7631b75
http://