** No longer affects: nova/essex -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1125378
Title: [OSSA-2013-006] VNC proxy can be made to connect to wrong VM Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) folsom series: Fix Released Status in OpenStack Security Advisories: Fix Released Bug description: Suppose a user requests a VNC token, and then deletes the VM right away, as I understand, the token is still valid not having yet exceeded the TTL. During this time if a new VM is spawned on the host and kvm reuses the port to bind the vncserver, it's possible for the user to use the old token to get access to this new VM, which could be owned by someone else. I have seen this happening in Essex code and was wondering if this is still the case. The possible solutions are to flush the tokens on vm delete, hard reboot etc or to have a password protected VNC session. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1125378/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
