Bug#772712: marked as done (CVE-2014-8124: Horizon denial of service attack through login page)

Wed, 10 Dec 2014 04:22:15 -0800 

Your message dated Wed, 10 Dec 2014 12:19:31 +0000
with message-id <[email protected]>
and subject line Bug#772712: fixed in python-django-openstack-auth 1.1.6-5
has caused the Debian Bug report #772712,
regarding CVE-2014-8124: Horizon denial of service attack through login page
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
772712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772712
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django-openstack-auth
Version: 1.1.6-4
Severity: grave
Tags: security patch

Note from maintainer:
Opening this bug before uploading the security fixes.

OpenStack Security Advisory: 2014-040
CVE: CVE-2014-8124
Date: December 09, 2014
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.

Kilo (development branch) fix:
https://review.openstack.org/140353

Juno fix:
https://review.openstack.org/140358

Icehouse fix:
https://review.openstack.org/140356

django_openstack_auth fix:
https://review.openstack.org/140352

Notes:
This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional
patch above.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124
https://launchpad.net/bugs/1394370

--- End Message ---
--- Begin Message --- 
Source: python-django-openstack-auth
Source-Version: 1.1.6-5

We believe that the bug you reported is fixed in the latest version of
python-django-openstack-auth, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated 
python-django-openstack-auth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Dec 2014 20:07:03 +0800
Source: python-django-openstack-auth
Binary: python-openstack-auth
Architecture: source all
Version: 1.1.6-5
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
 python-openstack-auth - Django authentication backend for Openstack
Closes: 772712
Changes:
 python-django-openstack-auth (1.1.6-5) unstable; urgency=high
 .
   * CVE-2014-8124: Horizon login page contains DOS attack mechanism. Applied
     upstream patch (Closes: #772712).
Checksums-Sha1:
 552734c59e73e3d1633225d61526820540d0c4ac 2548 
python-django-openstack-auth_1.1.6-5.dsc
 b0cf6de75a774983ca97c2d67e2bf94287959c3b 6608 
python-django-openstack-auth_1.1.6-5.debian.tar.xz
 e8d180be354380343aaef3fa53dae10d5e29d8a0 19692 
python-openstack-auth_1.1.6-5_all.deb
Checksums-Sha256:
 768eb554fc25e04cb5f5debce7b424022b1dd8cf0829b7a6c2f74f6e5be804b9 2548 
python-django-openstack-auth_1.1.6-5.dsc
 f5002bfa250aee2953c2c2c694e0eabaf2aa55c088e947698ded6ee0ce4e8612 6608 
python-django-openstack-auth_1.1.6-5.debian.tar.xz
 92d1791ceca13576f8a14de80d1daa85f59494b72d1f0d698fb89686b8a20d64 19692 
python-openstack-auth_1.1.6-5_all.deb
Files:
 3d25d15c57059f414ac7401a3a77f1eb 2548 python optional 
python-django-openstack-auth_1.1.6-5.dsc
 e4abf604ff2d041b9fa7f2c2e4ba0572 6608 python optional 
python-django-openstack-auth_1.1.6-5.debian.tar.xz
 ec4501e88f39a0a5771d8af392b2677c 19692 python optional 
python-openstack-auth_1.1.6-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUiDiTAAoJENQWrRWsa0P+wFsP/149jFuf7GZkQluDytOgWkwe
UCbj6B1ETCn5B2TypxBHURDNn3l8VDZwixl0iNd3zbXo2ahqM+91F9hXvGaV+QJn
8kTXtWRw+/9fbwZucWJUXN/zSVfl4HwRp8mKo7T3Y7ZL1+spCghPnhxFj2u4bgUY
d7xYTveVdELRdTs0md6VnxH1tINpBtLApGpWLYwLCgoRAaHO2ZL5irlw3x2pENIh
OpvPbq9I61WqRFQ0qO0yRzfu8rnl702sT2XUU61FKmyQaJBeNEen82W8ZGENsPjb
wXK9F55xZ7PXvwtVMx/L1+Dzh/5w6lELXorRJXF8PJqtR6Egv+7/VK0Ria2UiBmw
y7PilN8AOY8qJP42nsVCnhdU621jXb9gp/TzCY3xpgqDu517vB12tB5prxnJEuht
XxcBifoH53N4A+MAqrwjNzsWmxqP91i2iwaHNk8DrCpyVzXFBctVaBDY3eGsYwlp
flZlP4SQgj7kHwkRZLJ9uRPMLysQZaMZML4VDI4EsLWsQnKFUnmqPYXt2Ey1D9FR
EggtGW9ucmKaqZFJjKnqSOSj4IzU3sohooSX+v3vnHbkTrjzK7gBo8/ENVNrGxCF
ho40L+rdzwMl1fEuuDQblpAaF3zBeAAoX+q3x17lQLfTrFLYEMRrqM8V0qxLK6Ex
vYXOgrDA07R5kG3c1Hc1
=qnZR
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to