Your message dated Wed, 10 Dec 2014 13:04:34 +0000
with message-id <[email protected]>
and subject line Bug#772710: fixed in horizon 2014.2-3
has caused the Debian Bug report #772710,
regarding CVE-2014-8124: Horizon denial of service attack through login page
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772710: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772710
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: horizon
Version: 2014.1.3-5
Severity: important
Tags: security patch
Note from maintainer: opening the bug before uploading the fixes.
OpenStack Security Advisory: 2014-040
CVE: CVE-2014-8124
Date: December 09, 2014
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1
Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.
Kilo (development branch) fix:
https://review.openstack.org/140353
Juno fix:
https://review.openstack.org/140358
Icehouse fix:
https://review.openstack.org/140356
django_openstack_auth fix:
https://review.openstack.org/140352
Notes:
This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional
patch above.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124
https://launchpad.net/bugs/1394370
--- End Message ---
--- Begin Message ---
Source: horizon
Source-Version: 2014.2-3
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 10 Dec 2014 19:53:49 +0800
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache
Architecture: source all
Version: 2014.2-3
Distribution: experimental
Urgency: medium
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
openstack-dashboard - OpenStack Dashboard
openstack-dashboard-apache - OpenStack Dashboard - Apache support
python-django-horizon - Django module providing web interaction with OpenStack
Closes: 772710
Changes:
horizon (2014.2-3) experimental; urgency=medium
.
* CVE-2014-8124: Horizon denial of service attack through login page. Applied
upstream patch (Closes: #772710).
Checksums-Sha1:
dbe991f0f326691ead04a153a6ba96355e4da8a0 3853 horizon_2014.2-3.dsc
87b4cc6f43350eeaf7b21b089e8f2e884cf9a146 18760 horizon_2014.2-3.debian.tar.xz
e2f20e7644ba2d268a8164ffdc07692f1e3be657 1466214
python-django-horizon_2014.2-3_all.deb
208dceed2bffd73b98228b4b498b42b6714ad48b 1288370
openstack-dashboard_2014.2-3_all.deb
35c77bb52515e0e68f3464aa29f6d34a1859b89f 10800
openstack-dashboard-apache_2014.2-3_all.deb
Checksums-Sha256:
e42f01fd1166275f3dd106f00c49bfacc67393b9d06951f6d4907e609c4376f2 3853
horizon_2014.2-3.dsc
e158dd717f17fb2121ad871ac1bc4da324dec8b66e7d0ae54f0987e25fdbcaf5 18760
horizon_2014.2-3.debian.tar.xz
435d25069569d543a02eb0384a1cffa4e2790f37e5a99465ec667bb234bfa2cc 1466214
python-django-horizon_2014.2-3_all.deb
c652c13528028d4bfd2a842c2e08f950e89d695a60a0009eda2092c6156b0705 1288370
openstack-dashboard_2014.2-3_all.deb
d7d598cfce0d6f505fd24a5409fef6a4bbe6859bd42f2b5b16e2545960f124c6 10800
openstack-dashboard-apache_2014.2-3_all.deb
Files:
a45d20b1d77e6260e4769d7e6ffb7e10 3853 net extra horizon_2014.2-3.dsc
2241a0323a829b355130be1d86923051 18760 net extra horizon_2014.2-3.debian.tar.xz
3a25611bb0e081c7180163df92e368e3 1466214 python extra
python-django-horizon_2014.2-3_all.deb
1c5bd9c96b6a98a9545978f4cc8d413c 1288370 net extra
openstack-dashboard_2014.2-3_all.deb
88cdf62ebbbe0ea25651fa2f641966dc 10800 net extra
openstack-dashboard-apache_2014.2-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUiERAAAoJENQWrRWsa0P+4kwQAJOeuLU1NFfuakP9tGspVyYv
ujxBfjvVivYBqgz0Qz9ce8vVpiqWFStJsYXd6BqeOdB7IIW/1BXAuXTdVqA0+MI1
K7okJCk4YGI4Cv+tp6qVp9cm5sPboWGBvupGW5slpjwLMDTDjoHTNe2COsLX5+NZ
uPKj9mYJwL14UMI9OV/FAb2KtZV1Rf0whyk95vTkrsrjE4VCN5MgTU3gow6LF7wp
jD5kUo/3rjwJaw8pgi20BfDX0u/iFJqrCzZStT/ffdDo+vBWJ7gWrbk60TXmOduB
HjgdbAYrzfRdlfveV6cMZjKnv4VZ1qJ8tkZY6stFkx9EmO4BjyXs+RniHDbYxI7X
YF5SK+iMDf0JhfPNAHn4Er0ngV9UZPwV8FqFFD+T8BzGzEroDRleijBbxEnclgWM
rO4WIGU+s21rIJ2bwSx58xaEXsRzpGXowiGRZveHuUT1Xua8FvRBuJ2yWO48+cWc
VzJhH76zdSQNGOsULdUsPMRs0gydlVtPkzgk/29ShDtQ9b1R+hBebLIoKbhuOTri
HlrU8OXUWRQa39eZvO7P9tiE3vhJUZ1NRTd8eW0ceY1GioZfRSG6slWkqCimHSqd
yRrqZXPgkD7MoApB8c25IR8POVTvX0FaBMFUKTTDWqmpinKgG07EfYgkfK6ZbwCW
HZOcx1GyQxhEAKzD/jBy
=fJUA
-----END PGP SIGNATURE-----
--- End Message ---
