Your message dated Sat, 09 Sep 2023 16:17:39 +0000
with message-id <[email protected]>
and subject line Bug#1050518: fixed in horizon 3:18.6.2-5+deb11u2
has caused the Debian Bug report #1050518,
regarding CVE-2022-45582: horizon: Open redirect / phishing attack via
"success_url" parameter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050518: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050518
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: horizon
Version: 3:23.0.0-5
Severity: important
Tags: patch
As reported in launchpad:
https://bugs.launchpad.net/horizon/+bug/1982676
The "success_url" param is used when updating the project snapshot and it
lacks sanitizing the input URL that allows an attacker to redirect the user
to another website.
For instance, the URL below will redirect you to https://hacker.com:
https://xxx.com/project/snapshots/a54c1d97-d354-4171-9602-52fdf0949e83/update/?success_url=https://hacker.com
Impact: The attacker can trick redirect users to the cloned website to steal
information, a so-called Phishing Attack.
Patches available here:
https://review.opendev.org/q/Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
--- End Message ---
--- Begin Message ---
Source: horizon
Source-Version: 3:18.6.2-5+deb11u2
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 06 Sep 2023 10:20:55 +0200
Source: horizon
Architecture: source
Version: 3:18.6.2-5+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1050518
Changes:
horizon (3:18.6.2-5+deb11u2) bullseye; urgency=medium
.
* CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter,
add upstream patch: "Fix success_url parameter issue for Edit Snapshot"
(Closes: #1050518).
Checksums-Sha1:
d7da179d8b0509bfe8035c11e7f224574c2970f2 4385 horizon_18.6.2-5+deb11u2.dsc
ab93ee63b715700140df8065167c9f1f53427593 31328
horizon_18.6.2-5+deb11u2.debian.tar.xz
37d018b883331a79e4ddca80e2e1b78563b80c3e 17598
horizon_18.6.2-5+deb11u2_amd64.buildinfo
Checksums-Sha256:
d3151fce64c0e6f1138dfc9905bcb5438335a115921432b8392f573f1b893b96 4385
horizon_18.6.2-5+deb11u2.dsc
f439fdef77abe49f10503a7d699b614af7434916473ed8e0b8db390ddd115c96 31328
horizon_18.6.2-5+deb11u2.debian.tar.xz
4df14b74d43d319917efc11fe9b550f91cf8aec0a5b7cb200e69915f938b62af 17598
horizon_18.6.2-5+deb11u2_amd64.buildinfo
Files:
11a6ce5d8775b7cae69be876ee875b20 4385 net optional horizon_18.6.2-5+deb11u2.dsc
a1bf8fbd43beb0abbebb718f3ecbad3c 31328 net optional
horizon_18.6.2-5+deb11u2.debian.tar.xz
a2b32574672fa12bc0e7899d064ea66c 17598 net optional
horizon_18.6.2-5+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmT4OeIACgkQ1BatFaxr
Q/7hoA/8DZI/dLdmz4feB4u6FMKuLjcsWYjcCXlMV9mZCEJ3Z9znva4fV/8a3BP9
M78b1n9LR+Sf42Q2Fx6I3EdyQf3DJhb8vCCI0l++BS4kM/eMaYVG/aj3gAd1oy/l
ZG3kXKH9+5J0SiYfVBoj85yxctV/fSaYiZ8fLaGUgU+fjLVxvdoldrxh/fae0vCN
SpHotablswpcB4peddPhMJ66DWMxxkJhYOvpxC+eDDxVlkJW2tO3eBLNWgWicGDK
S/MJW3KNprkU9Q2uhhMl2mKlq7wQvGdcCKgVWzWnYYIpYAkZY+BH/KS9eOAwM6NB
vRjd7YTEfGjYVMxFnvb/zHfiQDdejXMXz54wSq5rPcFoLS4uHQB57XwqSBFEatXP
yY9SiE2h4d2aibgm7NEmBUOLmOQwlV/20Wk91dhZidJ2hJPXFeQz58tj5HNLy5ZC
AmJ+yrA2c8W/2DMSBgc2ubOE3hEnk9mCLNk0ZaE0Wu8fDxTTQwuk/dS0Ch2rpSFv
tSMu0cWxa5ESC2mqSjEviUTTNSk2kR0Ix9nTqIdiCpZOWmobA4zRBA+h6t09IZBa
duE7UMRkfTLU/dj+2ckHoY9GmrJUeSrt2EP2y6JThdaxujfkNRZkcCMM3WrvrViY
D3o2PuAAbnlb2PP14DQ8yCWBiwMx2kVILbb5wxs7155xc4/EOMM=
=5vju
-----END PGP SIGNATURE-----
--- End Message ---
