OpenStack Compute (nova)

  1. Bug #1409142
  2. Comment #67

Comment 67 for bug 1409142

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote : Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259)

Thanks Dave for the new patch set!

I've subscribed apevec and adam_g as Nova stable maintainer. So we are looking at a RPC version bump in order to have stable properly fixed.

If this is not possible, we still have the option to triage the mitm case as a B1/B2 class of bug ( https://wiki.openstack.org/wiki/Vulnerability_Management#Incident_report_taxonomy ) and eventually provides a more simple patch that would make sure origin scheme is https.