Your message dated Wed, 10 Dec 2014 13:12:39 +0000
with message-id <[email protected]>
and subject line Re: Bug#772714: unblock: python-django-openstack-auth/1.1.6-6:
CVE-2014-8124 fix
has caused the Debian Bug report #772714,
regarding unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772714: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772714
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear release team,
Please unblock package python-django-openstack-auth. The upstream patch is a
one liner fixing the DOS on the login page on the side of this lib. Debdiff
attached.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-django-openstack-auth-1.1.6/debian/changelog python-django-openstack-auth-1.1.6/debian/changelog
--- python-django-openstack-auth-1.1.6/debian/changelog 2014-09-29 06:45:50.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/changelog 2014-12-10 12:10:01.000000000 +0000
@@ -1,3 +1,10 @@
+python-django-openstack-auth (1.1.6-5) unstable; urgency=high
+
+ * CVE-2014-8124: Horizon login page contains DOS attack mechanism. Applied
+ upstream patch (Closes: #772712).
+
+ -- Thomas Goirand <[email protected]> Wed, 10 Dec 2014 20:07:03 +0800
+
python-django-openstack-auth (1.1.6-4) unstable; urgency=medium
* Add upstream patch fixing FTBFS: fix-tests.patch. Thanks to David Suárez
diff -Nru python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch
--- python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch 2014-12-10 12:10:01.000000000 +0000
@@ -0,0 +1,27 @@
+Description: Horizon login page contains DOS attack mechanism
+ The horizon login page (and middleware) accesses the session too early in the
+ login process, which will create session records in the session backend. This
+ is especially problematic when non-cookie backends are used.
+Author: eric <[email protected]>
+Date: Mon, 8 Dec 2014 23:38:26 +0000 (-0700)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fdjango_openstack_auth.git;a=commitdiff_plain;h=e676c88a329af57d6c4f13df54f6e1e06c1f8360
+Co-Authored-By: Tihomir Trifonov <[email protected]>
+Co-Authored-By: Eric Peterson <[email protected]>
+Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
+Bug-Ubuntu: https://launchpad.net/bugs/1394370
+Bug-Debian: https://bugs.debian.org/772712
+Origin: upstream, https://review.openstack.org/#/c/140352/
+Last-Update: 2014-12-10
+
+diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py
+index 2c8092c..8c1fcee 100644
+--- a/openstack_auth/forms.py
++++ b/openstack_auth/forms.py
+@@ -98,7 +98,6 @@ class Login(django_auth_forms.AuthenticationForm):
+ msg = 'Login failed for user "%(username)s".' % \
+ {'username': username}
+ LOG.warning(msg)
+- self.request.session.flush()
+ raise forms.ValidationError(exc)
+ if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7
+ self.check_for_test_cookie()
diff -Nru python-django-openstack-auth-1.1.6/debian/patches/series python-django-openstack-auth-1.1.6/debian/patches/series
--- python-django-openstack-auth-1.1.6/debian/patches/series 2014-09-29 06:45:50.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/patches/series 2014-12-10 12:10:01.000000000 +0000
@@ -1,3 +1,4 @@
0001-Call-django.setup-before-running-tests-for-Django-1..patch
0002-Don-t-call-check_for_test_cookie-with-Django-1.7.patch
fix-tests.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch
--- End Message ---
--- Begin Message ---
On 2014-12-10 12:17, Thomas Goirand wrote:
Please unblock package python-django-openstack-auth. The upstream patch
is a
one liner fixing the DOS on the login page on the side of this lib.
Debdiff
attached.
Unblocked.
Regards,
Adam
--- End Message ---
