552678 – <sys-cluster/nova-2014.2.2-r1: Authentication hijacking vulnerability (CVE-2015-0259)

Bug 552678 - <sys-cluster/nova-2014.2.2-r1: Authentication hijacking vulnerability (CVE-2015-0259)

Summary: <sys-cluster/nova-2014.2.2-r1: Authentication hijacking vulnerability (CVE-20...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-06-20 20:31 UTC by GLSAMaker/CVETool Bot
Modified:	2015-06-20 20:32 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2015-06-20 20:31:28 UTC

CVE-2015-0259 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0259):
  OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo
  before kilo-3 does not validate the origin of websocket requests, which
  allows remote attackers to hijack the authentication of users for access to
  consoles via a crafted webpage.


*nova-2014.2.2-r1 (11 Mar 2015)
	
	  11 Mar 2015; Matthew Thode <prometheanfire@gentoo.org>
	  +files/CVE-2015-0259-2014.2.2.patch, +nova-2014.2.2-r1.ebuild,
	  -nova-2014.2.1.ebuild, -nova-2014.2.2.ebuild:
	  fixing CVE-2015-0259

Comment 1 Sean Amoss (RETIRED) gentoo-dev

2015-06-20 20:32:19 UTC

Closing noglsa for ~arch only.