Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 552750

Summary: <www-apps/novnc-0.5: Session hijacking vulnerability (CVE-2013-7436)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2015-06-21 13:56:21 UTC 
CVE-2013-7436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7436):
  noVNC before 0.5 does not set the secure flag for a cookie in an https
  session, which makes it easier for remote attackers to capture this cookie
  by intercepting its transmission within an http session.


Maintainer(s), please drop version 0.4.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-23 03:53:07 UTC 
fixed in tree (removed 0.4), removing self from cc
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-06-23 04:41:06 UTC 
Maintainer(s), Thank you for your work.

Thank you all. Closing as noglsa.