Hi! I just wanted to note that noVNC 0.5.1 is slated to be in Fedora 22 and is currently in EPEL testing for EPEL 6 and EPEL 7 (https://apps.fedoraproject.org/packages/novnc).
Best Regards, Solly Ross ----- Original Message ----- > From: "Nathan Kinder" <nkin...@redhat.com> > To: "OpenStack Development Mailing List (not for usage questions)" > <openstack-dev@lists.openstack.org> > Sent: Monday, March 2, 2015 4:09:06 PM > Subject: [openstack-dev] [OSSN 0044] Older versions of noVNC allow session > theft > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Older versions of noVNC allow session theft > - --- > > ### Summary ### > Commonly packaged versions of noVNC allow an attacker to hijack user > sessions even when TLS is enabled. noVNC fails to set the secure flag > when setting cookies containing an authentication token. > > ### Affected Services / Software ### > Nova, when embedding noVNC prior to v0.5 > > ### Discussion ### > Versions of noVNC prior to October 28, 2013 do not properly set the > secure flag on cookies for pages served over TLS. Since noVNC stores > authentication tokens in these cookies, an attacker who can modify > user traffic can steal these tokens and connect to the VNC session. > > Affected deployments can be identified by looking for the "secure" > flag on the token cookie set by noVNC on TLS-enabled installations. If > the secure flag is missing, the installation is vulnerable. > > At the time of writing, Debian, Ubuntu and Fedora do not provide > versions of this package with the appropriate patch. > > ### Recommended Actions ### > noVNC should be updated to version 0.5 or later. If this is not > possible, the upstream patch should be applied individually. > > Upstream patch: > https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd > > ### Contacts / References ### > This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0044 > Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1420942 > OpenStack Security ML : openstack-secur...@lists.openstack.org > OpenStack Security Group : https://launchpad.net/~openstack-ossg > CVE: in progress-http://www.openwall.com/lists/oss-security/2015/02/17/1 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJU9NFyAAoJEJa+6E7Ri+EV5soH/3xK10vI3I4CM8Uhyk8pZcgA > 5+s7ukrcQWymExN4XGDRB5b2hwfmTpHjOJAkgLNvP7edNezE6QvXit6cBBNoXUo2 > nW/iC7QKmu7oS56F+OpqFf+PZNmxDqCF40ec9pjt0id5V/1cvePH+Vc9Kuus6Lig > LwsIG4A8tRiCsN5d2OOdGULSBhCN/yCdDKbf2mdaB4Ebimb2+6c7Nfs1iskOIZAm > Me0jC2a0rPP07Fh5dnS+4uDkAk+BU5UIrs64Ua63AQuvC6evHnMF6uByrFdATxk7 > DgDftsY/4ahexV6rTIBvjzbTngmOGWaegknH1dE2Peuv32fe6v3c68LD8lG6BgM= > =SUiL > -----END PGP SIGNATURE----- > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
