Configure Horizon to mitigate BREACH/CRIME attacks
-
### Summary ###
In its default configuration Horizon is vulnerable to BREACH/CRIME style
chosen plaintext attacks which may allow an attacker to execute CSRF
attacks.
### Affected Services / Software ###
Horizon, Django, Apache, NGinx,
Some SSL-Enabled connections fail to perform basic certificate checks
### Summary ###
In many places OpenStack components use Python 2.x HTTPSConnection to
establish an SSL connection between endpoints. This does not provide
many of the assurances one would expect when using SSL and leaves
Horizon does not set Secure Attribute in cookies
-
### Summary ###
Horizon does not, by default, set the Secure Attribute in cookies
### Affected Services / Software ###
Horizon, Django
### Discussion ###
When used in production Horizon should have the Secure Attribute for
cookies set. When
My understanding of such attacks is that they require a
point-of-presence within the browser to perform the injection which in
turn enables the side channel. As clients/users won't be interacting
with the API using a browser I'm not 100% convinced that we need to
worry about defending against
Nova Baremetal Exposes Previous Tenant Data
-
### Summary ###
Data of previous tenants may be exposed to new ones when using Nova Baremetal
### Affected Services / Software ###
Keystone, Databases
### Discussion ###
Nova Baremetal is intended for testing and development only, it is not
101 - 105 of 105 matches
Mail list logo