-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: novnc security update
Advisory ID:       RHSA-2020:0754-01
Product:           Red Hat OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0754
Issue date:        2020-03-10
CVE Names:         CVE-2017-18635 
====================================================================
1. Summary:

An updated novnc package that fixes one security issue is now available for
Red Hat Enterprise Linux OpenStack Platform 13.0.

Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 13.0 - noarch
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch

3. Description:

The novnc package provides a VNC client that uses HTML5 (Web Sockets,
Canvas) and includes encryption support.

An XSS vulnerability was discovered in noVNC in which arbitrary HTML could
be injected into the noVNC web page. An attacker having access to a VNC
server could use target host values in a crafted URL to gain access to
secure information (such as VM tokens). (CVE-2017-18635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1484711 - [OSP13] rebase novnc to 1.1.0
1765660 - CVE-2017-18635 novnc: XSS vulnerability via the messages propagated to the status field

6. Package List:

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:

Source:
novnc-1.1.0-2.el7ost.src.rpm

noarch:
novnc-1.1.0-2.el7ost.noarch.rpm

Red Hat OpenStack Platform 13.0:

Source:
novnc-1.1.0-2.el7ost.src.rpm

noarch:
novnc-1.1.0-2.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-18635
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXmd4m9zjgjWX9erEAQiseQ//Q1ZyVQTuKJqkptTGxtgUINstYWj1z3n9
oOdKSlfTXxiWG2hjKCb3EtHpuB3kDZBGD67+6R2BxXzuGYun52GyPpTy6iAd7cAo
bVUVB5SQlffP9A1KN9JSloxLnRSYg4EgeEM4RdGfrpNQSoH2Yu0cn4mwu54yVd/9
JVx3LSNMiS0mdPmaBWxlUZZjZs09MbWBYt28qF09BIWZREunWB4Ai5MWmBNF89fk
Zb10V0659l4BtmK1RVC9F00FQxJfWkH9QFTlxeqBvamawzb9GrfteD2aBlOJLZVu
DgVm5BHtXTUBLq/1jbG/81R4rWoHuvQIuQ+wFjVuL/8foQfkbUQKFVDCegXx2LIV
v5v7spCNo2Zk/hye6B9DsK2IMJe1WnhXbavzJL7USenceP0u7Uuw8rCWecrSXH6C
4T+tptZ6t6jMgQl5xEenZq0c60QMl+HRqxDceSbF5fwEITbJrgRBodBgypcSYC/s
Vr8AxFJF3BfMzsC07XUY3yIIhMiyMRd/T1ouz86zBRimBEPDsniqUYgSw/vK5du1
LJiMT9hsGoS/HhXR33K1RDk5nOaNzgrvgZUone7+yq/M2XdQWhksUIlJYHGIWYq2
eFiYVXKxkTcNmkl+SXQ91d4JGx91DD4RdxSJESlSuMS05vCYlyhg46EUjhMfCtep
Ss84Xo1w05s=9mkD
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-0754:01 Moderate: novnc security update

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 13.0

Summary

The novnc package provides a VNC client that uses HTML5 (Web Sockets, Canvas) and includes encryption support.
An XSS vulnerability was discovered in noVNC in which arbitrary HTML could be injected into the noVNC web page. An attacker having access to a VNC server could use target host values in a crafted URL to gain access to secure information (such as VM tokens). (CVE-2017-18635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2017-18635 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:
Source: novnc-1.1.0-2.el7ost.src.rpm
noarch: novnc-1.1.0-2.el7ost.noarch.rpm
Red Hat OpenStack Platform 13.0:
Source: novnc-1.1.0-2.el7ost.src.rpm
noarch: novnc-1.1.0-2.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:0754-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0754
Issued Date: : 2020-03-10
CVE Names: CVE-2017-18635

Topic

An updated novnc package that fixes one security issue is now available forRed Hat Enterprise Linux OpenStack Platform 13.0.Red Hat Product Security has rated this update as having Moderate securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.


Topic


 

Relevant Releases Architectures

Red Hat OpenStack Platform 13.0 - noarch

Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch


Bugs Fixed

1484711 - [OSP13] rebase novnc to 1.1.0

1765660 - CVE-2017-18635 novnc: XSS vulnerability via the messages propagated to the status field


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved