According to Russell's message - this bug only affects the essex/stable branch.. No backport is necessary I guess..
Also - https://github.com/openstack/horizon/tree/stable/essex shows the most recent commit is the commit/fix he linked to.. Thanks, Kiall On Thu, Sep 13, 2012 at 4:17 PM, andi abes <[email protected]> wrote: > Has a fix for this been backported to essex/stable branch? > > On Thu, Aug 30, 2012 at 11:35 AM, Russell Bryant <[email protected]> > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > This advisory included the wrong CVE. It was CVE-2012-3540. Sorry > > about that. > > > > On 08/30/2012 11:10 AM, Russell Bryant wrote: > >> OpenStack Security Advisory: 2012-012 CVE: CVE-2012-3542 > > > > This should have been CVE-2012-3540 > > > >> Date: August 30, 2012 Title: Open redirect through 'next' > >> parameter Impact: Medium Reporter: Thomas Biege (SUSE) Products: > >> Horizon Affects: Essex (2012.1) > >> > >> Description: Thomas Biege from SUSE reported a vulnerability in > >> Horizon authentication mechanism. By adding a malicious 'next' > >> parameter to a Horizon authentication URL and enticing an > >> unsuspecting user to follow it, the victim might get redirected > >> after authentication to a malicious site where useful information > >> could be extracted. Only setups running Essex are affected. > >> > >> Fixes: 2012.1: > >> > https://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b > >> > >> References: > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3542 > > > > This should have been: > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3540 > > > >> https://bugs.launchpad.net/horizon/+bug/1039077 > >> > >> Notes: This fix will be included in a future Essex (2012.1) > >> release. > > > > - -- > > Russell Bryant > > OpenStack Vulnerability Management Team > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.12 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > > > iEYEARECAAYFAlA/iDEACgkQFg9ft4s9SAbPBQCgndIk58K5ZF71PCxmWfDjV9MO > > 4yoAoJDGBeqC4TbJnyo+AsEeQYeTQEe6 > > =zO6p > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : [email protected] > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
