Thank you for using Ubuntu and filing a bug. This was a security feature that was added to 1.4.22. This doesn't seem like a vulnerability so much as a missing security feature. If you would like to have this in Ubuntu, I suggest creating, testing and submitting a patch to the development release as per https://wiki.ubuntu.com/SponsorshipProcess. If your would like to have this available in a stable release of Ubuntu, once your patch has been incorporated into the development release of Ubuntu, please follow https://wiki.ubuntu.com/StableReleaseUpdates.
For your reference, this is the commit in question for 1.4: http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=81e2376ab3d2ee3ee3e30f0ea7714c395a4f8ecb and for 1.5: http://haproxy.1wt.eu/git?p=haproxy.git;a=commit;h=4992dd2d307aefd288379d2fefcf5a87b7631b75 ** Summary changed: - HAProxy Secure / HttpOnly Flag Cookie Weakness + Please support flags for Secure / HttpOnly Cookies ** Changed in: haproxy (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1118160 Title: Please support flags for Secure / HttpOnly Cookies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1118160/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
