Comment 76 for bug 1409142
Revision history for this message
| Dave McCowan (dave-mccowan) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | #76 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Looking at the VNC configuration options, there is already an "ssl_only" configuration option to disallow non-encrypted connections. I can piggy-back on that command, and also disallow origin headers that are not HTTPS. That's an easy enough fix, that I'm tempted to use it for Kilo too. No RPC API changes for any release. Thoughts?