Bug#772712: marked as done (CVE-2014-8124: Horizon denial of service attack through login page)

Wed, 10 Dec 2014 05:21:33 -0800 

Your message dated Wed, 10 Dec 2014 13:19:18 +0000
with message-id <[email protected]>
and subject line Bug#772712: fixed in python-django-openstack-auth 1.1.7-2
has caused the Debian Bug report #772712,
regarding CVE-2014-8124: Horizon denial of service attack through login page
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
772712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772712
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django-openstack-auth
Version: 1.1.6-4
Severity: grave
Tags: security patch

Note from maintainer:
Opening this bug before uploading the security fixes.

OpenStack Security Advisory: 2014-040
CVE: CVE-2014-8124
Date: December 09, 2014
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.

Kilo (development branch) fix:
https://review.openstack.org/140353

Juno fix:
https://review.openstack.org/140358

Icehouse fix:
https://review.openstack.org/140356

django_openstack_auth fix:
https://review.openstack.org/140352

Notes:
This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional
patch above.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124
https://launchpad.net/bugs/1394370

--- End Message ---
--- Begin Message --- 
Source: python-django-openstack-auth
Source-Version: 1.1.7-2

We believe that the bug you reported is fixed in the latest version of
python-django-openstack-auth, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated 
python-django-openstack-auth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Dec 2014 20:13:53 +0800
Source: python-django-openstack-auth
Binary: python-openstack-auth
Architecture: source all
Version: 1.1.7-2
Distribution: experimental
Urgency: medium
Maintainer: PKG OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Description:
 python-openstack-auth - Django authentication backend for Openstack
Closes: 772712
Changes:
 python-django-openstack-auth (1.1.7-2) experimental; urgency=medium
 .
   * CVE-2014-8124: Horizon denial of service attack through login page. Applied
     upstream patch (Closes: #772712).
Checksums-Sha1:
 a68e9bdaba7d13024487f07266f3351093f27418 2560 
python-django-openstack-auth_1.1.7-2.dsc
 cc5e23780e5916651e8091640879124f5e295328 5324 
python-django-openstack-auth_1.1.7-2.debian.tar.xz
 fbdda46f923bbb3cdc1af65565ce79bd3fa1c114 21204 
python-openstack-auth_1.1.7-2_all.deb
Checksums-Sha256:
 765a7c725df97ee0141792878e41906edc16309678b1a4afabbcd10f5d3fa556 2560 
python-django-openstack-auth_1.1.7-2.dsc
 929b591ea67bc3506fe375a8fd7163372317a1102eded1324b9665205ca04f20 5324 
python-django-openstack-auth_1.1.7-2.debian.tar.xz
 f98a6b830bad0019943a98990ce8f686388c04d3af7be74b4da70291de55a253 21204 
python-openstack-auth_1.1.7-2_all.deb
Files:
 343d6181b58a71c8840c827899205847 2560 python optional 
python-django-openstack-auth_1.1.7-2.dsc
 7f5d5fea2b6fbe6b488627df0d167487 5324 python optional 
python-django-openstack-auth_1.1.7-2.debian.tar.xz
 6373a818b280309d8704cf831abc1cc4 21204 python optional 
python-openstack-auth_1.1.7-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUiESkAAoJENQWrRWsa0P+tLYP+wXNzkxuU9dyoMBbuuaIlSyD
0rqkKVXCpuFohdcgIszl3fgVt8UUY48n4U5we0zAJSneONAm8fLECr4AgVUzyapV
+KXHJMpdP56DedbC+A7ZJfBmwph4lkPHEDnOVP24i8SyeSZWM4IsuZdLxOHHrpRc
kdx6Pb17AC1yvZdHVbGIqZz2Vu8i+zxYCgRIbKZYeMF04SbA7ePH1TEp532Fk2j6
YF8iOyA6X14iBbuLGz+DKB+Xd5AHboNW2Qaumg2pRAYQ8tRneWuJpTaF/aNns3Z/
9G4YQy7I3/DB2zmPTxk5iZxZxmxDG/CVROa7YU9UYKNmQFSB5GTefCHNsiJpzc/c
OawoOBtyNdF9H0XVR3gIm0CN05fmrtTCYNlU4PrWcz9vq4d27xMXoXim+cpSMcZ3
F8lKdhbvVc62y+ePv/4eePadPcNzqb46doo9HPJWACBxJ+mOL1phn6HSqkyc4X8X
DB/cdK8mxr4+qfFvPIngivwtvRWp3ibGbVKj+YVL0TDrYa6xKGQOjKPk2Q7KbL1Z
S+GrYmRfK7SMqrgDDuHK007X+jG5lPda933I4yZYUqGiWtSFORGMfGhBAZte25xB
3NMrCPtddtbS33XnkkPW4uQktNmUm2AvqyQuqRL9/hASxAooaApc37zTVW+xmegA
l4Lqg06u92WPrAkx1ly9
=A7Ub
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to