Comment 22 for bug 1927677
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: novnc allowing open direction which could potentially be used for phishing | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
Melanie: Thanks for pointing out that the backports for branches prior to stable/wallaby haven't merged yet; I misread the notifications. We can't publish an advisory anyway until those are merged for the maintained branches at a minimum (fixes for branches under extended maintenance can merge after any advisory though).
Joshua: As Melanie points out, what we're providing is a workaround for a known security flaw in a dependency, so differs slightly from OSSA-2020-008 in that regard. You are right though that the end result is roughly the same for vulnerable deployments, and unlike most vulnerabilities involving dependencies this is one we actually have an active mitigation for which doesn't require any additional action on the part of the deployer other than upgrading our software in the deployment (no additional configuration or dependency upgrade steps needed).
I'm disappearing on a week-long vacation tomorrow, but if someone wants to compose an impact description for this and request a CVE from MITRE with it (or assign one as a CNA), I'm happy to help coordinate any advisory when I get home. Our template for impact descriptions can be found here: https:/