That's great . Thanks to Tristan and paul. Regards *Jitendra* +91-9989743042 On Fri, Mar 13, 2015 at 11:16 PM, Tristan Cacqueray < tristan.cacqueray at enovance.com> wrote: > ========================================================== > OSSA-2015-005: Nova console Cross-Site WebSocket hijacking > ========================================================== > > :Date: March 13, 2015 > :CVE: CVE-2015-0259 > > > Affects > ~~~~~~~ > - Nova: up to 2014.1.3 and 2014.2 versions up to 2014.2.2 > > > Description > ~~~~~~~~~~~ > Brian Manifold from Cisco and Paul McMillan from Nebula reported a > vulnerability in Nova console websocket. By tricking an authenticated > user into visiting a malicious URL, a remote attacker or a man in the > middle may exploit a cross-site-websocket-hijacking vulnerability > resulting in potential hijack of consoles where the user is still > logged in. Only Nova setups with vnc or spice enabled are affected. > > > Patches > ~~~~~~~ > - https://review.openstack.org/163035 (Icehouse) > - https://review.openstack.org/163034 (Juno) > - https://review.openstack.org/163033 (Kilo) > > > Credits > ~~~~~~~ > - Brian Manifold from Cisco (CVE-2015-0259) > - Paul McMillan from Nebula (CVE-2015-0259) > > > References > ~~~~~~~~~~ > - https://launchpad.net/bugs/1409142 > - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0259 > > > Notes > ~~~~~ > - This fix is included in 2014.1.4 (icehouse) release and it will be > included > in the kilo-3 development milestone and in the future 2014.2.3 (juno) > release. > > -- > Tristan Cacqueray > OpenStack Vulnerability Management Team > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150313/b6c9ebba/attachment.html>