|Summary:||novnc: session hijack through insecurely set session token cookies [epel-all]|
|Product:||[Fedora] Fedora EPEL||Reporter:||Vasyl Kaigorodov <vkaigoro>|
|Component:||novnc||Assignee:||Solly Ross <sross>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||el6||CC:||apevec, apevec, jose.castro.leon, ndipanov, nsantos, p, s.danzi, sross, stirabos|
|Target Milestone:||---||Keywords:||Security, SecurityTracking|
|Fixed In Version:||novnc-0.5.1-2.el7||Doc Type:||Release Note|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-03-15 00:58:11 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Vasyl Kaigorodov 2015-02-17 11:32:34 UTC
Comment 1 Vasyl Kaigorodov 2015-02-17 11:32:39 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1193451,1193454 # Description of your update notes=Security fix for # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi update submission link instead: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1193451,1193454
Comment 2 Alan Pevec 2015-02-18 19:53:34 UTC
Solly, do you want to take this as an exercise and push novnc 0.5.1 update in EPEL6/7 ? It is updated in Rawhide so git merge should do. Are there any backward compatibility issues?
Comment 3 Solly Ross 2015-02-18 21:51:00 UTC
Comment 4 Alan Pevec (Fedora) 2015-02-24 01:34:59 UTC
IMO fixing security issue trumps two (since 2012) deprecated callback names but let's spell them out in the Bodhi update description. In upstream 0.5 relnotes I see only this which looks related: "NOTE: code which interfaces directly with noVNC may see minor breakage (e.g. custom UI elements, etc)."
Comment 5 Fedora Update System 2015-02-25 21:15:37 UTC
novnc-0.5.1-2.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/novnc-0.5.1-2.el7
Comment 6 Fedora Update System 2015-02-25 21:25:54 UTC
novnc-0.5.1-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/novnc-0.5.1-2.el6
Comment 7 Fedora Update System 2015-02-26 19:04:12 UTC
Package novnc-0.5.1-2.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing novnc-0.5.1-2.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0942/novnc-0.5.1-2.el6 then log in and leave karma (feedback).
Comment 8 Fedora Update System 2015-03-15 00:58:11 UTC
novnc-0.5.1-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-03-15 00:59:47 UTC
novnc-0.5.1-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.