An updated novnc package that fixes one security issue is now available forRed Hat Enterprise Linux OpenStack Platform 6.0.Red Hat Product Security has rated this update as having Moderate securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.

The novnc package provides a VNC client that uses HTML5 (Web Sockets,Canvas) and includes encryption support.It was discovered that noVNC did not properly set the ‘secure’ flag whenissuing cookies. An attacker could use this flaw to intercept cookies via aman-in-the-middle attack. (CVE-2013-7436)All novnc users are advised to upgrade to this updated package, whichcorrects this issue.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258
1193451 – CVE-2013-7436 novnc: session hijack through insecurely set session token cookies

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply