[Bug 914164] Re: [MIR] horizon
@pitti the dep on cherrypy3 is resolved (dropped), and the other MIR criteria has been resolved. There is an open bug task for release notes regarding insecure content. Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 914164] Re: [MIR] horizon
Promoted. ** Changed in: horizon (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 914164] Re: [MIR] horizon
See http://people.canonical.com/~ubuntu-archive/component- mismatches.svg, this needs an additional MIR for cherrypy3. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 914164] Re: [MIR] horizon
This: while an administrator should know that setting up horizon for access over http:// would expose credentials, it would be good if the settings pages warned if the user was accessing the urls via http:// in some manner. If it is not fixed, it would be acceptable to mention it in a release note. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 914164] Re: [MIR] horizon
I performed a shallow review of horizon: CVE history: no, but the code is new. That said, upstream is very responsive and the server team is committed to it and active with upstream. Embeds some jquery scripts from jquery-goodies (they are newer than what is in the archive) in horizon/static/horizon/js/jquery/ Not lintian clean No upstart jobs or initscripts, no dbus services or setuid programs. No cron jobs. No sudoers fragments. Uses python-django, so a lot of security features are enabled (CSRF protections (verified in use), etc) Allows downloading of EC2 and OpenStack credentials. The openstack .rc file that is downloaded prompts for the password, so that is good (though the OS_USERNAME and OS_TENANT_NAME are in there). The EC2 credentials give the EC2_ACCESS_KEY and EC2_SECRET_KEY. This is all delivered over http. The http://openstack/settings/* pages should probably warn that this is happening over an insecure connection. Setting up apache to use ssl and accessing horizon works fine. horizon connects to keystone via http://, so it needs to be on a protected LAN. http://openstack/nova/images_and_snapshots/ gave me a full traceback. The packaging should be adjusted to hide these as it might provide information to an attacker. Specifically at the bottom of the page I see: You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 500 page. Other pages with tracebacks (related to usage I think): http://openstack/nova/instances_and_volumes/ http://openstack/nova/images_and_snapshots/ Conditional ACK provided the following are addressed: - set 'DEBUG = False' - while an administrator should know that setting up horizon for access over http:// would expose credentials, it would be good if the settings pages warned if the user was accessing the urls via http:// in some manner - a release note should be added that horizon needs to connect to keystone over a protected network (LP: #978963) ** Changed in: horizon (Ubuntu) Status: Confirmed = In Progress ** Changed in: horizon (Ubuntu) Assignee: Jamie Strandboge (jdstrand) = Chuck Short (zulcss) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 914164] Re: [MIR] horizon
** Changed in: horizon (Ubuntu) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 914164] Re: [MIR] horizon
~ubuntu-server subscribed to bugmail. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/914164 Title: [MIR] horizon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/914164/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs