Ubuntu
haproxy package

  1. Bug #1118160
  2. Comment #1

Comment 1 for bug 1118160

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: HAProxy Secure / HttpOnly Flag Cookie Weakness

Thank you for using Ubuntu and filing a bug.

This was a security feature that was added to 1.4.22. This doesn't seem like a vulnerability so much as a missing security feature. If you would like to have this in Ubuntu, I suggest creating, testing and submitting a patch to the development release as per https://wiki.ubuntu.com/SponsorshipProcess. If your would like to have this available in a stable release of Ubuntu, once your patch has been incorporated into the development release of Ubuntu, please follow https://wiki.ubuntu.com/StableReleaseUpdates.

For your reference, this is the commit in question for 1.4:
http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=81e2376ab3d2ee3ee3e30f0ea7714c395a4f8ecb

and for 1.5:
http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=4992dd2d307aefd288379d2fefcf5a87b7631b75