Your message dated Mon, 02 Mar 2015 16:49:02 +0000
with message-id <[email protected]>
and subject line Bug#778618: fixed in novnc
1:0.4+dfsg+1+20131010+gitf68af8af3d-4
has caused the Debian Bug report #778618,
regarding novnc: session hijack through insecurely set session token cookies
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778618: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778618
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: novnc
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see
http://www.openwall.com/lists/oss-security/2015/02/17/1
https://bugzilla.redhat.com/show_bug.cgi?id=1193451
Fix:
https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
Source: novnc
Source-Version: 1:0.4+dfsg+1+20131010+gitf68af8af3d-4
We believe that the bug you reported is fixed in the latest version of
novnc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated novnc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 02 Mar 2015 17:27:07 +0100
Source: novnc
Binary: novnc python-novnc
Architecture: source all
Version: 1:0.4+dfsg+1+20131010+gitf68af8af3d-4
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
novnc - HTML5 VNC client - daemon and programs
python-novnc - HTML5 VNC client - libraries
Closes: 778618
Changes:
novnc (1:0.4+dfsg+1+20131010+gitf68af8af3d-4) unstable; urgency=high
.
* Adds security patch (Closes: #778618):
adds_support_for_secure_attribute_on_token_cookie.patch
* Adds a source.lintian-overrides for include/logo.js. This is a logo, and
not code source, so I believe it should be fine. Moreover, the file in
include/logo.js.png is the source, and running "base64 include/logo.js.png"
generates the same data, so it is my point of view that we're in the case
of a false positive. If one difers, please provide the patch to generate
the logo.js out of the logo.js.png file.
Checksums-Sha1:
3e84a0e583ec4985aa4d7d204fc7841f100beee0 2271
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4.dsc
06a742d1d9b9ca6114c639774c7ba1446d2ab317 24836
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4.debian.tar.xz
913d16cfd02c745eb05ff3f2c2e154b5776771e4 125530
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4_all.deb
f6547058f095b09ee2c190cb2b9f70169ada9aa1 19226
python-novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4_all.deb
Checksums-Sha256:
62e0d529ddb5f4543fe783ff4f010409bef7d062c1125b7fa50118427b5249ca 2271
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4.dsc
77d7709c9ed06b622ed13bf1fd236426375c35d0096eee1a2d6b51336c80d822 24836
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4.debian.tar.xz
91a8ae8322b294c675d1fb01434d1d586f775df1586f117582218ec612d594f5 125530
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4_all.deb
c1278e3244b32cd3c608944dede7ed084eb291e0e69157eed4b6fcd8e87d7193 19226
python-novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4_all.deb
Files:
61373800ada6109cdc8a09b388c3822e 2271 web optional
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4.dsc
aef5fc53811f2f1cb5265492d9ebb863 24836 web optional
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4.debian.tar.xz
329f091ab4da7a705107e34df595dc8c 125530 web optional
novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4_all.deb
3b824830da88722b2dd2ee4e888e418d 19226 python optional
python-novnc_0.4+dfsg+1+20131010+gitf68af8af3d-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU9JKBAAoJENQWrRWsa0P+etsP/jE/l0t5RPqVGtn0KvMRspKq
NlFMzDFJMwn/nmizak58z9mz5HL4ocSnjMqIpBTy/0GjJh+VPTt1kNNGeEhDmQ08
9OS+5j87Sv/ahrKYy5SDGpmLyy0KLk+BYJxBDbGQpYdymxrHztgYKUlLN0xHUMPw
Tcay6ld0rTAutyX7/xVoCLNXE8e8Ea8l32IK/XVppwy+wW9gJ5FvDqACZ/PDY52c
DHVSAFbBZEyQmMMYvql6MZ9IKlyh5/3DWoHvTb/m2M2W1/20cy9MVmAajaLK8PAL
e08IiG6wYcQ6mtXRuHQBczxQxDy517zdQuRaEcZi8HS8WYytXdDeO0csyGZMtA24
qjoUn2FYsLNN3JwRU/eGeXQ0/3y5MsfVq8Ad+M0H9DTcq8QpXyqmxVpAWyOqnTZj
o87PFPrwMwUdoVeiM8m6CrrX23UtzEn1zhHh6sCUKCjOZ0FxqJNR+hQjw8/QYwxw
bTEAFKvF8D0s8x5IUqswrCcQUcBQWBehU8tYochER0j6CS2B2gEnifNT+Ji/UbnP
XkF1j0OdOri4RLgBt4p5jqfgtIz5CMHPuhLGGlGvYgoP8pCVxFKpBnq4cjqB/8fi
RpWJspeqfK4Vlj8bpjipfMAba3Fwm5vL9DAQ45AnGabEi9PfAhrMymtBiT8Iuk81
ATD37Lo01mlYGhSo5/w5
=0wsu
-----END PGP SIGNATURE-----
--- End Message ---