Your message dated Sat, 09 Sep 2023 16:17:15 +0000
with message-id <[email protected]>
and subject line Bug#1050518: fixed in horizon 3:23.0.0-5+deb12u1
has caused the Debian Bug report #1050518,
regarding CVE-2022-45582: horizon: Open redirect / phishing attack via
"success_url" parameter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050518
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: horizon
Version: 3:23.0.0-5
Severity: important
Tags: patch
As reported in launchpad:
https://bugs.launchpad.net/horizon/+bug/1982676
The "success_url" param is used when updating the project snapshot and it
lacks sanitizing the input URL that allows an attacker to redirect the user
to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
Impact: The attacker can trick redirect users to the cloned website to steal
information, a so-called Phishing Attack.
Patches available here:
https://review.opendev.org/q/Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
--- End Message ---
--- Begin Message ---
Source: horizon
Source-Version: 3:23.0.0-5+deb12u1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 05 Sep 2023 11:31:00 +0200
Source: horizon
Architecture: source
Version: 3:23.0.0-5+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1050518
Changes:
horizon (3:23.0.0-5+deb12u1) bookworm; urgency=medium
.
* CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter,
add upstream patch: "Fix success_url parameter issue for Edit Snapshot"
(Closes: #1050518).
Checksums-Sha1:
fb0bd3f98c0b5458d5c18da5952935cfbe709847 4569 horizon_23.0.0-5+deb12u1.dsc
d8c78292cc69c6af989ab65eab5b13d2e0969ed8 34208
horizon_23.0.0-5+deb12u1.debian.tar.xz
94ede667789fed27806b7a84daf3a55e2d9c9c50 17989
horizon_23.0.0-5+deb12u1_amd64.buildinfo
Checksums-Sha256:
be6d2ea3994038f5ff83f10d6d3fccfbba6180f8d7229ab2c96b4f68c1103908 4569
horizon_23.0.0-5+deb12u1.dsc
e9fd31268fc5a4b1adf1039a1c68a80c846e4527970cd6830101e7b9df49061f 34208
horizon_23.0.0-5+deb12u1.debian.tar.xz
af3b18ebedb4200a999a6dd825b09b39b33d2a4548c42a3d9a3a9528247ef95a 17989
horizon_23.0.0-5+deb12u1_amd64.buildinfo
Files:
176607bc89b9e9b8939a23a1ddcc7acc 4569 net optional horizon_23.0.0-5+deb12u1.dsc
5d051c9447831d61ee2e36cbfa113bf7 34208 net optional
horizon_23.0.0-5+deb12u1.debian.tar.xz
e778e0e92505b58d8ddfcd5b0e936241 17989 net optional
horizon_23.0.0-5+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmT4MyEACgkQ1BatFaxr
Q/6cyA/+Lhnl9B8rv++aW6KOi5CONuKwCpIlZvw04kbCw9apm0JuF2gCEoInkkCY
w+JHSvB3rSNK9LVW+pKxMGF6n8k/E1zB/5cUdEYiKZ3ILhA4AxYWNHvo0eD1pxS2
ktrXips5/MgimM3q6vcPmscGoGXgBR5NyV5197CwRE6eSoHmBDsQ1DKHOyxp2xBj
n43uCrdecE+6skXjT2Be8USTFOZF1PLNXApPeW4/wO4FmufNvobKDHZeZf4f0fim
d07i+Svr8A4DJfYnpqPnqXEB287QHYa7CZVPjc0f/MnSr9vKYcQHN5rknLAcIWK8
eGwCtXuFnjGrr5Ht+EmK3zjrGQYi9sADTp4R/PY+f5Aa70AoBIPicVVDWpdMtrGe
lMl0VpTEjZNiHKTAKG+THA+UP4jYcGa5dwlQZXTQoU+87Qi0Xb1X2GcaL4y3zG7/
T0W/ilHN7VMYKjH5G9jilY9AnbJeoemnB0nbz1QXa5+Uh3zDwmoGoAAu4fMGW8m/
grUoR/qcjBI1wE/72Ls7cbKnk8br5Qk1iQNyLhrXwSFrzZvsuyUYgqunvKkbDvRg
jMc/ktylq7qT4joIrK+9Xb8ntDSxfVbTAndGCD4p6osRuea24XpN2ZQSw2R9Hkkw
MjuFApl1uCApqoFXyNk0eZAIZVe7h3ZhBhf1B75Zni7Dhb3y43A=
=jVOx
-----END PGP SIGNATURE-----
--- End Message ---
