Package: python-django-openstack-auth Version: 1.1.6-4 Severity: grave Tags: security patch
Note from maintainer: Opening this bug before uploading the security fixes. OpenStack Security Advisory: 2014-040 CVE: CVE-2014-8124 Date: December 09, 2014 Title: Horizon denial of service attack through login page Reporter: Eric Peterson (Time Warner Cable) Products: Horizon Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1 Description: Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By making repeated requests to the Horizon login page a remote attacker may generate unwanted session records, potentially resulting in a denial of service. Only Horizon setups using a db or memcached session engine are affected. Kilo (development branch) fix: https://review.openstack.org/140353 Juno fix: https://review.openstack.org/140358 Icehouse fix: https://review.openstack.org/140356 django_openstack_auth fix: https://review.openstack.org/140352 Notes: This fix will be included in future 2014.1.3 and 2014.2.1 releases. The django_openstack_auth Horizon dependency requires the additional patch above. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124 https://launchpad.net/bugs/1394370 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
