Paul McMillan reported that noVNC prior to this patch: https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd allows an attacker to steal insecurely set session token cookies, hijacking active or inactive VNC sessions.
Created novnc tracking bugs for this issue: Affects: epel-all [bug 1193454]
Does the post to oss-security need a bump? Nobody seems to have assigned a CVE for this issue...
novnc-0.5.1-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
novnc-0.5.1-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
It looks noVNC and SPICE-HTML5 in oVirt/RHEV-M is unaffected by this CVE (we don't use cookies).
Unless you've explicitly disabled setting the cookie by modifying the source code, noVNC sets one. You're probably still vulnerable. Log into a terminal and check the cookies, if you see an insecure cookie with a token in it, you've got the problem.
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:0788 https://rhn.redhat.com/errata/RHSA-2015-0788.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2015:0834 https://rhn.redhat.com/errata/RHSA-2015-0834.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2015:0833 https://rhn.redhat.com/errata/RHSA-2015-0833.html
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2015:0884 https://rhn.redhat.com/errata/RHSA-2015-0884.html