OpenStack-Ansible

Horizon SSL configuration vulnerable

Bug #1404862 reported by Jesse Pretorius
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Critical
Jesse Pretorius
Icehouse
Fix Released
Critical
Darren Birkett
OpenStack-Ansible 9.0.6
Juno
Fix Released
Critical
Darren Birkett
OpenStack-Ansible 10.1.2

Bug Description

Currently the Apache configuration for Horizon is very simple and therefore vulnerable to various forms of SSL and TLS attack vectors. The Qualys SSL test on the default setup results in a C grading. In order to ensure that best practices are implemented and anyone using os-ansible-deployment has a secure by default setup, this needs to be addressed.

Tags: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/143430

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/143430
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=b11236a6e25585c49c6bdf7d15eb17542bca0c88
Submitter: Jenkins
Branch: master

commit b11236a6e25585c49c6bdf7d15eb17542bca0c88
Author: Jesse Pretorius <email address hidden>
Date: Mon Dec 22 12:01:14 2014 +0000

    Improve Apache SSL configuration

    This patch implements changes in the SSL configuration to ensure that
    Horizon is not vulnerable to common SSL and TLS attack vectors.

    Change-Id: I2e24ea3b99c7caadfbc8992ac78648cfdc6c301d
    Closes-Bug: #1404862

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/147133

Darren Birkett (darren-birkett)
tags: removed: juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (icehouse)

Fix proposed to branch: icehouse
Review: https://review.openstack.org/147134

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (icehouse)

Reviewed: https://review.openstack.org/147134
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=7372aa204fb0cfadb081c74e03b05149127a7836
Submitter: Jenkins
Branch: icehouse

commit 7372aa204fb0cfadb081c74e03b05149127a7836
Author: Jesse Pretorius <email address hidden>
Date: Mon Dec 22 12:01:14 2014 +0000

    Improve Apache SSL configuration

    This patch implements changes in the SSL configuration to ensure that
    Horizon is not vulnerable to common SSL and TLS attack vectors.

    Change-Id: I2e24ea3b99c7caadfbc8992ac78648cfdc6c301d
    Closes-Bug: #1404862
    (cherry picked from commit b11236a6e25585c49c6bdf7d15eb17542bca0c88)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (juno)

Reviewed: https://review.openstack.org/147133
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=9c7a71bd2b14ad3f5c705a949c03e39f849d8526
Submitter: Jenkins
Branch: juno

commit 9c7a71bd2b14ad3f5c705a949c03e39f849d8526
Author: Jesse Pretorius <email address hidden>
Date: Mon Dec 22 12:01:14 2014 +0000

    Improve Apache SSL configuration

    This patch implements changes in the SSL configuration to ensure that
    Horizon is not vulnerable to common SSL and TLS attack vectors.

    SecurityImpact
    Change-Id: I2e24ea3b99c7caadfbc8992ac78648cfdc6c301d
    Closes-Bug: #1404862
    (cherry picked from commit b11236a6e25585c49c6bdf7d15eb17542bca0c88)

Kevin Carter (kevin-carter)
Changed in openstack-ansible:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.