Source: horizon Version: 2014.1.1-2 Severity: important Tags: security patch
Message form the pre-OSSA team, before uploading the fixed package. Note that, despite the announce, 2014.1.1 is really vulnerable. Thomas Goirand (zigo) Title: Multiple XSS vulnerabilities in Horizon Reporter: Jason Hullinger (HP), Craig Lorentzen (Cisco), Michael Xin (Rackspace) Products: Horizon Versions: up to 2013.2.3, and 2014.1 Description: Jason Hullinger from Hewlett Packard, Craig Lorentzen from Cisco and Michael Xin from Rackspace reported 3 cross-site scripting (XSS) vulnerabilities in Horizon. A malicious Orchestration template owner or catalog may conduct an XSS attack once a corrupted template is used in the Orchestration/Stack section of Horizon (CVE-2014-3473). A malicious Horizon user may store an XSS attack by creating a network with a corrupted name (CVE-2014-3474). A malicious Horizon administrator may store an XSS attack by creating a user with a corrupted email address (CVE-2014-3475). Once executed in a legitimate context these attacks may result in potential asset stealing (horizon user/admin access credentials, VMs/Network configuration/management, tenants' confidential information, etc.). All Horizon setups are affected. Proposed patch: See attached patches. Unless a flaw is discovered in them, these patches will be merged to stable/havana, stable/icehouse and master (Juno development branch) on the public disclosure date. Icehouse fix: https://review.openstack.org/105477 CVE: CVE-2014-3473, CVE-2014-3474 and CVE-2014-3475 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org