That doesn't have a CVE or anything like it. Since this is an upstream bug, I'm going to report it to the packagers and see if we can get it fixed. Once there's a release in the pipes upstream, we should probably put out an OSSA.
I would appreciate if we can keep this bug private until the packagers have had a chance to respond.
Horizon isn't setting this cookie, it's set by the novnc script which usually listens on port 6080. After digging a bit more, it looks like it's getting set by noVNC here: /github. com/kanaka/ noVNC/blob/ f675e03cccc5ac6 a7f68e992331403 ba557b0452/ vnc_auto. html#L203
https:/
It looks like the issue is fixed in the latest release of noVNC, but Fedora and Ubuntu both ship a version earlier than the patch which fixed it: /github. com/kanaka/ noVNC/commit/ ad941faddead705 cd6119217300547 67a0b32dcd
https:/
That doesn't have a CVE or anything like it. Since this is an upstream bug, I'm going to report it to the packagers and see if we can get it fixed. Once there's a release in the pipes upstream, we should probably put out an OSSA.
I would appreciate if we can keep this bug private until the packagers have had a chance to respond.