On 7 August 2013 20:30, Thierry Carrez <[email protected]> wrote: > Gabriel Hurley wrote: >> Many of you have probably heard about the "BREACH" attack/security >> vulnerability in HTTPS traffic that was disclosed recently, and I'd like to >> take a moment to provide some info about how that affects Horizon. I'm not >> following the official vulnerability management process because 1. The >> vulnerability is already disclosed publicly, 2. Workaround information has >> already been published by Django and many others, and 3. There's no one-off >> code fix on our end so awareness is the best possible thing. > > Agree that there is nothing to patch in our code at this point and > therefore no base for an OpenStack Security Advisory (OSSA). The > information you provided would still make a great OpenStack Security > Note (OSSN), though. Those are issued by the OpenStack Security Group, I > CC-ed Rob Clark so that he puts it on his radar.
Note that our API services are likely a rich target too - when running under SSL it should be fairly straight forward to get minor changes to the payload from keystone (e.g. with repeated token calls - but I don't know the API well enough to speculate in detail). -Rob -- Robert Collins <[email protected]> Distinguished Technologist HP Converged Cloud _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
