Re: [openstack-dev] [horizon][bug] Mitigation to BREACH vulnerability

[Matthias Runge]

On Fri, Nov 20, 2015 at 10:00:30PM +, BARTRA, RICK wrote:
> Until django releases an official patch for the BREACH vulnerability, I think 
> we should take a look at django-debreach. The django-debreach package 
> provides some, possibly enough, protection against a BREACH attack. Its 
> integration to Horizon is clear by following the configuration found here: 
> https://pypi.python.org/pypi/django-debreach
> 
> 
> The proposed change to Horizon: https://review.openstack.org/#/c/247838/
> 
> The proposed change to Requirements: https://review.openstack.org/#/c/248233/

Thank you for proposing this

still I believe, this is
a) security hardening to be done by deployers
b) something not specific to Horizon, and a solution should be integrated in
Django, not just in a single application using Django.

Matthias

-- 
Matthias Runge 

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [horizon][bug] Mitigation to BREACH vulnerability

[BARTRA, RICK]

Until django releases an official patch for the BREACH vulnerability, I think 
we should take a look at django-debreach. The django-debreach package provides 
some, possibly enough, protection against a BREACH attack. Its integration to 
Horizon is clear by following the configuration found here: 
https://pypi.python.org/pypi/django-debreach


The proposed change to Horizon: https://review.openstack.org/#/c/247838/

The proposed change to Requirements: https://review.openstack.org/#/c/248233/


Regards,

Rick Bartra
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev