Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, Please unblock package python-django-openstack-auth. The upstream patch is a one liner fixing the DOS on the login page on the side of this lib. Debdiff attached. Cheers, Thomas Goirand (zigo)
diff -Nru python-django-openstack-auth-1.1.6/debian/changelog python-django-openstack-auth-1.1.6/debian/changelog --- python-django-openstack-auth-1.1.6/debian/changelog 2014-09-29 06:45:50.000000000 +0000 +++ python-django-openstack-auth-1.1.6/debian/changelog 2014-12-10 12:10:01.000000000 +0000 @@ -1,3 +1,10 @@ +python-django-openstack-auth (1.1.6-5) unstable; urgency=high + + * CVE-2014-8124: Horizon login page contains DOS attack mechanism. Applied + upstream patch (Closes: #772712). + + -- Thomas Goirand <z...@debian.org> Wed, 10 Dec 2014 20:07:03 +0800 + python-django-openstack-auth (1.1.6-4) unstable; urgency=medium * Add upstream patch fixing FTBFS: fix-tests.patch. Thanks to David Suárez diff -Nru python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch --- python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch 2014-12-10 12:10:01.000000000 +0000 @@ -0,0 +1,27 @@ +Description: Horizon login page contains DOS attack mechanism + The horizon login page (and middleware) accesses the session too early in the + login process, which will create session records in the session backend. This + is especially problematic when non-cookie backends are used. +Author: eric <eric.peters...@twcable.com> +Date: Mon, 8 Dec 2014 23:38:26 +0000 (-0700) +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fdjango_openstack_auth.git;a=commitdiff_plain;h=e676c88a329af57d6c4f13df54f6e1e06c1f8360 +Co-Authored-By: Tihomir Trifonov <t.trifo...@gmail.com> +Co-Authored-By: Eric Peterson <eric.peters...@twcable.com> +Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c +Bug-Ubuntu: https://launchpad.net/bugs/1394370 +Bug-Debian: https://bugs.debian.org/772712 +Origin: upstream, https://review.openstack.org/#/c/140352/ +Last-Update: 2014-12-10 + +diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py +index 2c8092c..8c1fcee 100644 +--- a/openstack_auth/forms.py ++++ b/openstack_auth/forms.py +@@ -98,7 +98,6 @@ class Login(django_auth_forms.AuthenticationForm): + msg = 'Login failed for user "%(username)s".' % \ + {'username': username} + LOG.warning(msg) +- self.request.session.flush() + raise forms.ValidationError(exc) + if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7 + self.check_for_test_cookie() diff -Nru python-django-openstack-auth-1.1.6/debian/patches/series python-django-openstack-auth-1.1.6/debian/patches/series --- python-django-openstack-auth-1.1.6/debian/patches/series 2014-09-29 06:45:50.000000000 +0000 +++ python-django-openstack-auth-1.1.6/debian/patches/series 2014-12-10 12:10:01.000000000 +0000 @@ -1,3 +1,4 @@ 0001-Call-django.setup-before-running-tests-for-Django-1..patch 0002-Don-t-call-check_for_test_cookie-with-Django-1.7.patch fix-tests.patch +CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch