yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1511541] [NEW] Possible incomplete fix for OSSA-2015-005

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Grant Murphy <grant.murphy@xxxxxx>
Date: Thu, 29 Oct 2015 21:46:42 -0000
Reply-to: Bug 1511541 <1511541@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

Multiple reports that the fix for [OSSA 2015-005] Websocket Hijacking
Vulnerability in Nova VNC Server (CVE-2015-0259) is incomplete.

https://bugs.launchpad.net/nova/+bug/1409142/comments/146
https://bugs.launchpad.net/nova/+bug/1409142/comments/149

Further investigation is needed.

** Affects: nova
     Importance: Undecided
         Status: New

** Affects: ossa
     Importance: Undecided
         Status: Incomplete

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1511541

Title:
  Possible incomplete fix for OSSA-2015-005

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Multiple reports that the fix for [OSSA 2015-005] Websocket Hijacking
  Vulnerability in Nova VNC Server (CVE-2015-0259) is incomplete.

  https://bugs.launchpad.net/nova/+bug/1409142/comments/146
  https://bugs.launchpad.net/nova/+bug/1409142/comments/149

  Further investigation is needed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1511541/+subscriptions

Follow ups

[Bug 1511541] Re: Possible incomplete fix for OSSA-2015-005
From: Grant Murphy, 2016-03-07