OpenStack Compute (nova)

  1. Bug #1420942
  2. Comment #3

Comment 3 for bug 1420942

Revision history for this message
Paul McMillan (paul-mcmillan) wrote :

Horizon isn't setting this cookie, it's set by the novnc script which usually listens on port 6080. After digging a bit more, it looks like it's getting set by noVNC here:
https://github.com/kanaka/noVNC/blob/f675e03cccc5ac6a7f68e992331403ba557b0452/vnc_auto.html#L203

It looks like the issue is fixed in the latest release of noVNC, but Fedora and Ubuntu both ship a version earlier than the patch which fixed it:
https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd

That doesn't have a CVE or anything like it. Since this is an upstream bug, I'm going to report it to the packagers and see if we can get it fixed. Once there's a release in the pipes upstream, we should probably put out an OSSA.

I would appreciate if we can keep this bug private until the packagers have had a chance to respond.