[Openstack-devel] Bug#701773: nova: CVE-2013-0335: VNC proxy can connect to the wrong VM

Salvatore Bonaccorso carnil at debian.org
Tue Feb 26 22:28:56 UTC 2013


Package: nova
Version: 2012.1.1-13
Severity: important
Tags: security

Hi,

the following vulnerability was published for nova.

CVE-2013-0335[0]:
VNC proxy can connect to the wrong VM

See also the announcement[1].

Patches for folsom are available[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-0335
[1] http://marc.info/?l=oss-security&m=136190371727273&w=2
[2] https://review.openstack.org/#/c/22758/

At first glance it looks nova in testing/unstable and also
experimental are affected, could you please double-check?

Could you prepare a fixed pckage for unstable only containing the
needed change and contact the release team?

I have choosen severity important here. If I understand the issue
correctly, it would be possible for a user accessing a VM he does not
own.

Regards,
Salvatore



More information about the Openstack-devel mailing list