Your message dated Wed, 10 Dec 2014 13:13:56 +0000
with message-id <[email protected]>
and subject line Re: Bug#772719: unblock: horizon/2014.1.3-6 CVE-2014-8124 fix
has caused the Debian Bug report #772719,
regarding unblock: horizon/2014.1.3-6 CVE-2014-8124 fix
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772719: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772719
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear release team,
Please unblock package horizon. Debdiff attached. See #772710 for details
about this CVE. Debdiff attached.
Cheers,
Thomas Goirand (zigo)
diff -Nru horizon-2014.1.3/debian/changelog horizon-2014.1.3/debian/changelog
--- horizon-2014.1.3/debian/changelog 2014-11-11 21:25:59.000000000 +0000
+++ horizon-2014.1.3/debian/changelog 2014-12-10 11:43:48.000000000 +0000
@@ -1,3 +1,10 @@
+horizon (2014.1.3-6) unstable; urgency=high
+
+ * CVE-2014-8124: Horizon denial of service attack through login page. Applied
+ upstrema patch (Closes: #772710).
+
+ -- Thomas Goirand <[email protected]> Wed, 10 Dec 2014 19:41:02 +0800
+
horizon (2014.1.3-5) unstable; urgency=medium
* Purge the /usr/share/openstack-dashboard/openstack_dashboard folder when
diff -Nru horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch
--- horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch 1970-01-01 00:00:00.000000000 +0000
+++ horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch 2014-12-10 11:43:48.000000000 +0000
@@ -0,0 +1,61 @@
+Description: Horizon login page contains DOS attack mechanism
+ The horizon login page (really the middleware) accesses the session too early
+ in the login process, which will create session records in the session
+ backend. This is especially problematic when non-cookie backends are used.
+Author: lin-hua-cheng <[email protected]>
+Date: Tue, 2 Dec 2014 02:16:15 +0000 (-0800)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Bug-Ubuntu: https://launchpad.net/bugs/1394370
+Bug-Debian: https://bugs.debian.org/772710
+Origin: upstream, https://review.openstack.org/#/c/140356/
+Last-Update: 2014-12-10
+
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index e4b72b2..3cdb36e 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
+
+ def process_request(self, request):
+ """Adds data necessary for Horizon to function to the request."""
++
++ request.horizon = {'dashboard': None,
++ 'panel': None,
++ 'async_messages': []}
++ if not hasattr(request, "user") or not request.user.is_authenticated():
++ # proceed no further if the current request is already known
++ # not to be authenticated
++ # it is CRITICAL to perform this check as early as possible
++ # to avoid creating too many sessions
++ return None
++
+ # Activate timezone handling
+ tz = request.session.get('django_timezone')
+ if tz:
+@@ -62,14 +73,6 @@ class HorizonMiddleware(object):
+
+ last_activity = request.session.get('last_activity', None)
+ timestamp = int(time.time())
+- request.horizon = {'dashboard': None,
+- 'panel': None,
+- 'async_messages': []}
+-
+- if not hasattr(request, "user") or not request.user.is_authenticated():
+- # proceed no further if the current request is already known
+- # not to be authenticated
+- return None
+
+ # If we use cookie-based sessions, check that the cookie size does not
+ # reach the max size accepted by common web browsers.
+diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
+index 8a630e9..5ff1fd5 100644
+--- a/openstack_dashboard/views.py
++++ b/openstack_dashboard/views.py
+@@ -33,6 +33,4 @@ def splash(request):
+ if request.user.is_authenticated():
+ return shortcuts.redirect(horizon.get_user_home(request.user))
+ form = forms.Login(request)
+- request.session.clear()
+- request.session.set_test_cookie()
+ return shortcuts.render(request, 'splash.html', {'form': form})
diff -Nru horizon-2014.1.3/debian/patches/series horizon-2014.1.3/debian/patches/series
--- horizon-2014.1.3/debian/patches/series 2014-11-11 21:25:59.000000000 +0000
+++ horizon-2014.1.3/debian/patches/series 2014-12-10 11:43:48.000000000 +0000
@@ -6,3 +6,4 @@
0009_Fix-TypeError-SecurityGroup-object-is-not-iterable-t.patch
disable-failed-django-1.7-test.patch
Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch
--- End Message ---
--- Begin Message ---
On 2014-12-10 12:19, Thomas Goirand wrote:
Please unblock package horizon. Debdiff attached. See #772710 for
details
about this CVE. Debdiff attached.
Unblocked.
Regards,
Adam
--- End Message ---
