Comment 42 for bug 1409142
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | #42 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
@Dave, the problem with current patch is: user have no protection against a man in the middle. And if we open the bug, then yes we fix the broader vulnerability, but we also disclose a 0day... On the other hand, the longer we wait, the longer stakeholder have knowledge of this bug while the rest of the community is not protected. Also, since the OSSA task status is 'Fix commited', we are now able to subscribe downstream stakeholder if they want to participate in this bug fix....
According to Paul comment #40, the proper fix would be to introduce a new Header X_FORWARDED_PROTO to give the proxy enough information to validate the origin. Will this also require modification on the noVNC code and what would be the roadblocks to implement this on Icehouse ?
I think we should also consider a more simpler fix for stable. considering most deployment should already be using ssl, a check to make sure the origin is using https would effictively mitigate the issue.
@all, while we could move these issues to other bugs, because all the detail are already posted here, we'll have to also open them on disclosure day.