Your message dated Thu, 07 May 2026 08:19:57 +0000
with message-id <[email protected]>
and subject line Bug#1135810: fixed in horizon 3:25.7.3-1
has caused the Debian Bug report #1135810,
regarding horizon: CVE-2026-43002
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: horizon
Version: 3:25.7.2-1
Severity: important
Tags: security upstream
Forwarded: https://review.opendev.org/c/openstack/horizon/+/986834
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for horizon.
CVE-2026-43002[0]:
| An issue was discovered in OpenStack Horizon 25.6 and 25.7 before
| 25.7.3. There is a write operation to the session storage backend
| before authentication and thus storage can be exhausted by
| unauthenticated requests. This is a regression of the CVE-2014-8124
| fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43002
https://www.cve.org/CVERecord?id=CVE-2026-43002
[1] https://review.opendev.org/c/openstack/horizon/+/98683
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: horizon
Source-Version: 3:25.7.3-1
Done: Thomas Goirand <[email protected]>
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <[email protected]> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 May 2026 08:26:17 +0200
Source: horizon
Architecture: source
Version: 3:25.7.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <[email protected]>
Changed-By: Thomas Goirand <[email protected]>
Closes: 1135810
Changes:
horizon (3:25.7.3-1) unstable; urgency=high
.
* New upstream release. Contains fix for CVE-2026-43002: a write operation to
the session storage backend before authentication and thus storage can be
exhausted by unauthenticated requests (Closes: #1135810).
Checksums-Sha1:
8d40d047cd98d7669f7de21675f1ff7f27256e4c 4361 horizon_25.7.3-1.dsc
36f0eddb43bf8a586229b307402008c224f5ef08 3230388 horizon_25.7.3.orig.tar.xz
63d881e73d83cf75d55125136bfc8e611fe3c6c8 36480 horizon_25.7.3-1.debian.tar.xz
4690986cede7fa0011bd77859df27063c584a105 18235 horizon_25.7.3-1_amd64.buildinfo
Checksums-Sha256:
2e0cff84858f37d22ac67941ac6c6cd49b81f9e749a478551dfa61ee171fe320 4361
horizon_25.7.3-1.dsc
46350f073dd8c916119fb6045aa50daba084ee1171d617c1b0cd08920b6a67f5 3230388
horizon_25.7.3.orig.tar.xz
ad62fdaa8ea0468c3efc172f89adfcf78623663c992dc88d056361d410492117 36480
horizon_25.7.3-1.debian.tar.xz
fc7a3bb10f4dc160f9cfda3a941363304c7722c7b923f3594177709405e7b6a9 18235
horizon_25.7.3-1_amd64.buildinfo
Files:
529f092241cae318f34da4cbf929ca29 4361 net optional horizon_25.7.3-1.dsc
49dfc69bdbe833a1115a38e42b64e7ca 3230388 net optional
horizon_25.7.3.orig.tar.xz
c16ffdb5e1f2f9ff242ffe175ddc0bfb 36480 net optional
horizon_25.7.3-1.debian.tar.xz
ace7d12009563f20cb0735e19133e55d 18235 net optional
horizon_25.7.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmn8Rb4ACgkQ1BatFaxr
Q/5vVw//QckdonkZ1Gn94oY0XHfES/ijgaXwjtiJ2DtJGPFFVdExa6j0ViZNwA+i
YOHegIuBFPouUp7+W/no6UfDGrr7Ux2V3eHXSKY+Xec5rMThXcEcKzLE0moqpp4l
Vt3JGx/ZMs8AE7trixvZFJcsTBVusaAjrFEYVpp4AdIcC6wkSuwd2D67hI2yAnk9
aZn5A8bii5mDEj8hPQtO+o840TyI2lA1rQ7MNAMtKFlZ2F7m6CxGnywueXe67OO/
2RO4JZdSCVSeNvrH0EyDRHDAvAxY+qrSOPMm0s4pLS1OYEGYk0er2x/loZQnyzcJ
F19ZZ9Olj8SD4C8o/rqQGjTBhoo9TuIDhfsXKXQdmJZax2u3hq7VDGLPrqcIReHA
6v6vjCTBRARiT8a3hWcI1ZvOlqfqBT1Vd0te1mvPX2Y9PnwJXg/VDJSK8ftkCarm
/eXyXMHBuOodggxZfBaiJ+U71/IYOg0DYUImcJJ9Mxkq9Z7CYLCznHmib0iUmYcb
+kefP9rmJE11s2Sz8UprAU9ZruD/QVTFEqYB56E8xx9YguxGiW14lcMzUpajaOVg
VwVu1NDSKg+4L/YQqwezfYTtuGc5hCHO/GsbeJRZacFIh26t2OtnYuZ9J7x3i/8A
eUhh8N7XveDsMB4ywQ28YS1GKILbcirbyEYuQ3Xyaj49VGFFW3w=
=g74t
-----END PGP SIGNATURE-----
pgpagMhgTPIvf.pgp
Description: PGP signature
--- End Message ---
