Mirantis OpenStack

Finalize fix for CVE-2014-8124

Bug #1399271 reported by Dmitry Mescheryakov
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Committed
Critical
Paul Karikh
Mirantis OpenStack 6.0-updates
5.1.x
Fix Released
Critical
Alexey Khivin
Mirantis OpenStack 5.1.1-mu-2
6.0.x
Fix Released
Critical
Alexey Khivin
Mirantis OpenStack 6.0-mu-1
6.1.x
Fix Released
Critical
Paul Karikh
Mirantis OpenStack 6.1

Bug Description

We need to push fix for https://bugs.launchpad.net/mos/+bug/1398893 into our django-openstack auth repos once the bug is publicly disclosed. But not earlier!

Tags: horizon
Revision history for this message
Mike Scherbakov (mihgen) wrote :

Didn't we decide to Won't fix it in 5.1.1?

Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Mike: yep, you are right. Corrected the milestone.

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Opening since it's opened in upstream: https://bugs.launchpad.net/horizon/+bug/1394370

information type: Private Security → Public Security
Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu3

Changeset: https://review.fuel-infra.org/1747
project: packages/precise/python-django-openstack-auth
branch: master
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism the horizon login page (and middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backend
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu3_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-master-1747/ubuntu

Revision history for this message
Alexey Khivin (akhivin) wrote :

https://review.openstack.org/#/c/140352/ patch was applied

https://review.openstack.org/#/c/140356/ patch was not applied because the same changes have been done earlier by Timur Sufiev

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/1760
project: packages/centos6/python-django-openstack-auth
branch: 6.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.1-stable-1760/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu3

Changeset: https://review.fuel-infra.org/1750
project: packages/precise/python-django-openstack-auth
branch: master
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu3_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-master-1750/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu5

Changeset: https://review.fuel-infra.org/1771
project: packages/precise/python-django-openstack-auth
branch: 6.0.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu5_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0.1-stable-1771/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/1772
project: packages/centos6/python-django-openstack-auth
branch: 6.0.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0.1-stable-1772/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/2151
project: packages/centos6/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2151/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu4

Changeset: https://review.fuel-infra.org/2152
project: packages/precise/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu4_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable-2152/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9.git.ec33d56.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.git.ec33d56.c9b0cb2.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2171/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7+git.ec33d56.c9b0cb2

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira7+git.ec33d56.c9b0cb2_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable-2171/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira9.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira9.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira9.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira9.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7

Changeset: https://review.fuel-infra.org/2171
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira7_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira7_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira7_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira7_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/2264
project: packages/centos6/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2264/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/2151
project: packages/centos6/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2151/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu5

Changeset: https://review.fuel-infra.org/2272
project: packages/precise/python-django-openstack-auth
branch: 6.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu5_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable-2272/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/2151
project: packages/centos6/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2151/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/1760
project: packages/centos6/python-django-openstack-auth
branch: 6.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.1-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/2151
project: packages/centos6/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu4

Changeset: https://review.fuel-infra.org/2152
project: packages/precise/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu4_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu3

Changeset: https://review.fuel-infra.org/1750
project: packages/precise/python-django-openstack-auth
branch: master
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu3_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-master/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/1772
project: packages/centos6/python-django-openstack-auth
branch: 6.0.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0.1-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/2151
project: packages/centos6/python-django-openstack-auth
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira5.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable-2151/centos

Revision history for this message
Alexey Khivin (akhivin) wrote :

As I understood Timur decided to fix this by himself in the latest branches

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

In master branch it will be fixed by switching to django-openstack-auth 1.1.9

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.9, package release == ubuntu5

Changeset: https://review.fuel-infra.org/2788
project: packages/precise/python-django-openstack-auth
branch: 6.1
author: Max Yatsenko
committer: Max Yatsenko
subject: Update \"python-django-openstack-auth\" from 1.1.7 to 1.1.9 version
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.9-ubuntu5_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable-2788/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.9, package release == ubuntu5

Changeset: https://review.fuel-infra.org/2788
project: packages/precise/python-django-openstack-auth
branch: 6.1
author: Max Yatsenko
committer: Max Yatsenko
subject: Update \"python-django-openstack-auth\" from 1.1.7 to 1.1.9 version
status: change-merged

Files placed on repository:
python-openstack-auth_1.1.9-ubuntu5_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.1-stable/ubuntu

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Since the requests https://review.fuel-infra.org/#/c/2788/ and https://review.fuel-infra.org/#/c/2765/ had been already merged, the security vulnerability is fixed in 6.1 as well.

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/3609
project: packages/centos6/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-updates-stable-3609/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu1

Changeset: https://review.fuel-infra.org/3610
project: packages/precise/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu1_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-updates-stable-3610/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/3609
project: packages/centos6/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-updates-stable-3609/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu1

Changeset: https://review.fuel-infra.org/3610
project: packages/precise/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu1_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-updates-stable-3610/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu5

Changeset: https://review.fuel-infra.org/3610
project: packages/precise/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu5_all.deb

NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-updates-stable-3610/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package python-django-openstack-auth has been built for project packages/centos6/python-django-openstack-auth
Package version == 1.1.7, package release == 1

Changeset: https://review.fuel-infra.org/3609
project: packages/centos6/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-django-openstack-auth-1.1.7-1.mira4.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-6.0-updates-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package python-django-openstack-auth has been built for project packages/precise/python-django-openstack-auth
Package version == 1.1.7, package release == ubuntu5

Changeset: https://review.fuel-infra.org/3610
project: packages/precise/python-django-openstack-auth
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged

Files placed on repository:
python-openstack-auth_1.1.7-ubuntu5_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-6.0-updates-stable/ubuntu

Revision history for this message
OSCI Robot (oscirobot) wrote :

RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira10

Changeset: https://review.fuel-infra.org/4800
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged

Files placed on repository:
openstack-dashboard-2014.1.3-fuel5.1.2.mira10.noarch.rpm
openstack-dashboard-theme-2014.1.3-fuel5.1.2.mira10.noarch.rpm
python-django-horizon-2014.1.3-fuel5.1.2.mira10.noarch.rpm
python-django-horizon-doc-2014.1.3-fuel5.1.2.mira10.noarch.rpm

Changeset merged. Package placed on primary repository
RPM repository URL: http://osci-obs.vm.mirantis.net:82/centos-fuel-5.1.2-stable/centos

Revision history for this message
OSCI Robot (oscirobot) wrote :

DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira8

Changeset: https://review.fuel-infra.org/4800
project: openstack/horizon
branch: openstack-ci/fuel-5.1.2/2014.1.1
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged

Files placed on repository:
openstack-dashboard-ubuntu-theme_2014.1.3-fuel5.1.2~mira8_all.deb
openstack-dashboard_2014.1.3-fuel5.1.2~mira8_all.deb
python-django-horizon_2014.1.3-fuel5.1.2~mira8_all.deb
python-django-openstack_2014.1.3-fuel5.1.2~mira8_all.deb

Changeset merged. Package placed on primary repository
DEB repository URL: http://osci-obs.vm.mirantis.net:82/ubuntu-fuel-5.1.2-stable/ubuntu

Revision history for this message
Paul Karikh (pkarikh) wrote :

on verification

Revision history for this message
Paul Karikh (pkarikh) wrote :

Looks like this bug is still valid for 6.1.

Revision history for this message
Mike Scherbakov (mihgen) wrote :

Folks, please provide an update on this one here.

Revision history for this message
Paul Karikh (pkarikh) wrote :

We've desided that it is a new bug. We've created new MOS bug here: https://bugs.launchpad.net/mos/+bug/1459628
All updates are there.
For this bug we are setting `Fix commited`.

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Additional clarification: we consider this one as 'Fix Committed' because the upstream CVE was applied correctly, yet it haven't received all the problems. For their solution, see bug 1459628.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/horizon (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Fix proposed to branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Change author: Alex Khivin <email address hidden>
Review: https://review.fuel-infra.org/9341

Revision history for this message
Timur Nurlygayanov (tnurlygayanov) wrote :

Could anybody confirm that it was successfully fixed in MOS 6.1 and change the status to Fix Released?

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/horizon (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Reviewed: https://review.fuel-infra.org/9341
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: 818be36550701873b3882ebf687593cac911aeff
Author: Alexey Khivin <email address hidden>
Date: Tue Jul 14 16:37:48 2015

Horizon login page contains DOS attack mechanism

the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend. This is especially problematic when non-cookie
backends are used.

After speaking with Eric Peterson in IRC private we agreed that line
`response.delete_cookie('logout_reason')` in
openstack_dashboard/views.py is not related to the sessions issue (and
was just a clean-up).

Change-Id: I0aeb98da8e9a21262f4a602a5ddae4a4315100e7
Closes-Bug: #1398893
Closes-Bug: #1399271
(cherry picked from commit ec33d56d4fd93cc8fda4b7ef4ae259de4806f5f3)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.