Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552750 - <www-apps/novnc-0.5: Session hijacking vulnerability (CVE-2013-7436)
Summary: <www-apps/novnc-0.5: Session hijacking vulnerability (CVE-2013-7436)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-21 13:56 UTC by GLSAMaker/CVETool Bot
Modified: 2015-06-23 04:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 13:56:21 UTC 
CVE-2013-7436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7436):
  noVNC before 0.5 does not set the secure flag for a cookie in an https
  session, which makes it easier for remote attackers to capture this cookie
  by intercepting its transmission within an http session.


Maintainer(s), please drop version 0.4.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-23 03:53:07 UTC 
fixed in tree (removed 0.4), removing self from cc
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-06-23 04:41:06 UTC 
Maintainer(s), Thank you for your work.

Thank you all. Closing as noglsa.