Your message dated Wed, 10 Dec 2014 12:19:20 +0000
with message-id <[email protected]>
and subject line Bug#772710: fixed in horizon 2014.1.3-6
has caused the Debian Bug report #772710,
regarding CVE-2014-8124: Horizon denial of service attack through login page
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772710
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: horizon
Version: 2014.1.3-5
Severity: important
Tags: security patch
Note from maintainer: opening the bug before uploading the fixes.
OpenStack Security Advisory: 2014-040
CVE: CVE-2014-8124
Date: December 09, 2014
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.
Kilo (development branch) fix:
https://review.openstack.org/140353
Juno fix:
https://review.openstack.org/140358
Icehouse fix:
https://review.openstack.org/140356
django_openstack_auth fix:
https://review.openstack.org/140352
Notes:
This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional
patch above.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124
https://launchpad.net/bugs/1394370
--- End Message ---
--- Begin Message ---
Source: horizon
Source-Version: 2014.1.3-6
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Dec 2014 19:41:02 +0800
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache
Architecture: source all
Version: 2014.1.3-6
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
openstack-dashboard - OpenStack Dashboard
openstack-dashboard-apache - OpenStack Dashboard - Apache support
python-django-horizon - Django module providing web interaction with OpenStack
Closes: 772710
Changes:
horizon (2014.1.3-6) unstable; urgency=high
.
* CVE-2014-8124: Horizon denial of service attack through login page. Applied
upstrema patch (Closes: #772710).
Checksums-Sha1:
fcfbf5840940640b96c27b37d5f43a0049da102d 3203 horizon_2014.1.3-6.dsc
66907e4764b445f5f014e4e51f0881fa1510eb5a 18940 horizon_2014.1.3-6.debian.tar.xz
1bf84b41cca95464918926f075e731e15e1b7db7 1675982
python-django-horizon_2014.1.3-6_all.deb
37618304fc28f27d7dd33414f24652b0404ab857 1113990
openstack-dashboard_2014.1.3-6_all.deb
91da2bd04701e540cbd52741a32bf823e79e56e1 10868
openstack-dashboard-apache_2014.1.3-6_all.deb
Checksums-Sha256:
1d625c5aeb2dd5d2238bd179b807134329cf19d6175225358b783a6f53cc334c 3203
horizon_2014.1.3-6.dsc
10cfd9118c23711fd570a490c69bafb8730c5db69b6567e8672f0060d6bf5b42 18940
horizon_2014.1.3-6.debian.tar.xz
3f8a1d5ac99c42f6b19a8bae5057e75e86c7c4b85d9958c6940e43f8fff9888b 1675982
python-django-horizon_2014.1.3-6_all.deb
78674411beba5cd17dce4efdedc153fe60141bd9fd7a6b719a6deb934f5e24f1 1113990
openstack-dashboard_2014.1.3-6_all.deb
06ab2b89b9e26d938e1a0525ebed7fd24535bc21156e2264549afdbc96a7b6c5 10868
openstack-dashboard-apache_2014.1.3-6_all.deb
Files:
784243632f36356eb770b4d11e2c388b 3203 net extra horizon_2014.1.3-6.dsc
977ada1add6eaf02c7a496b0edaa0f4f 18940 net extra
horizon_2014.1.3-6.debian.tar.xz
7b67915158675b8c05a4e80f48ee9e5d 1675982 python extra
python-django-horizon_2014.1.3-6_all.deb
9c2afd4f96aa2b4a1f579b9bd0e42471 1113990 net extra
openstack-dashboard_2014.1.3-6_all.deb
442c0b2cc5ce06eb2846c7db1b913dad 10868 net extra
openstack-dashboard-apache_2014.1.3-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUiDgpAAoJENQWrRWsa0P+caQP/0a2UryJu+RLmk0YRwoFWVbT
xTtPzj4uNznKJRZiBmxH1/ziEMmv8Ml1bFiDMAwq1e6IjAH+sNAPa9qdmt5U7ix3
BgOXjT5XTBKpkKYjYv7Al1d6GgLthC52Xb4GHPtU9Ixk8XLSW3IzBr45ZbdmO1QE
1YZrQjT5xEbOoEVVQFJ6Us25vlj1/Ue+Gu7KWpk9QigHF2D50lqjf3WMReAnRfZU
qCwiLTIHbp9Eb3ANAefk6Vivjoti4/0pEeHfYwAzTG5UAi1LwNil56u/9BNIzIvp
tAYEr4zJHUMHJ1WKPY0PZdg8mb+i2zK59dejQX27fgfMK7bv0+3/6GhbKxCrynvr
Mf8T6ARl9w8CRlY7s18ZQzsyFDJ2cak1GLxQsBRBzghS7LgkYJQHfIbKJl6i/+Fk
z/Fz8+83saiFK/zPO7npG/b4Syo1dd8qFoKuSOhHqToAsqStDD3mfw/09zymj7EA
rp/2J0Kw4FpfdCxM+fRAwCaJ1X3i/Lvuw1ZFOY3lBDD0w19YKav+M0EDpJzUV6Ov
XWeRqqms4s36cbfru3AGHWJBnHc2qPkrq89tuBTYcmZzrr5IijLMXF6fgHzw7DFU
szMG8jyoUMHlDPEHdTvkmJnuLCea5JJMqRxMZZI5t74B92xoTD8gyu+Swi2r587f
ariU+BR+WMXONNDmCBmY
=zE6f
-----END PGP SIGNATURE-----
--- End Message ---
