Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, Please unblock package horizon. Debdiff attached. See #772710 for details about this CVE. Debdiff attached. Cheers, Thomas Goirand (zigo)
diff -Nru horizon-2014.1.3/debian/changelog horizon-2014.1.3/debian/changelog --- horizon-2014.1.3/debian/changelog 2014-11-11 21:25:59.000000000 +0000 +++ horizon-2014.1.3/debian/changelog 2014-12-10 11:43:48.000000000 +0000 @@ -1,3 +1,10 @@ +horizon (2014.1.3-6) unstable; urgency=high + + * CVE-2014-8124: Horizon denial of service attack through login page. Applied + upstrema patch (Closes: #772710). + + -- Thomas Goirand <z...@debian.org> Wed, 10 Dec 2014 19:41:02 +0800 + horizon (2014.1.3-5) unstable; urgency=medium * Purge the /usr/share/openstack-dashboard/openstack_dashboard folder when diff -Nru horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch --- horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch 1970-01-01 00:00:00.000000000 +0000 +++ horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch 2014-12-10 11:43:48.000000000 +0000 @@ -0,0 +1,61 @@ +Description: Horizon login page contains DOS attack mechanism + The horizon login page (really the middleware) accesses the session too early + in the login process, which will create session records in the session + backend. This is especially problematic when non-cookie backends are used. +Author: lin-hua-cheng <os.lch...@gmail.com> +Date: Tue, 2 Dec 2014 02:16:15 +0000 (-0800) +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a +Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71 +Bug-Ubuntu: https://launchpad.net/bugs/1394370 +Bug-Debian: https://bugs.debian.org/772710 +Origin: upstream, https://review.openstack.org/#/c/140356/ +Last-Update: 2014-12-10 + +diff --git a/horizon/middleware.py b/horizon/middleware.py +index e4b72b2..3cdb36e 100644 +--- a/horizon/middleware.py ++++ b/horizon/middleware.py +@@ -49,6 +49,17 @@ class HorizonMiddleware(object): + + def process_request(self, request): + """Adds data necessary for Horizon to function to the request.""" ++ ++ request.horizon = {'dashboard': None, ++ 'panel': None, ++ 'async_messages': []} ++ if not hasattr(request, "user") or not request.user.is_authenticated(): ++ # proceed no further if the current request is already known ++ # not to be authenticated ++ # it is CRITICAL to perform this check as early as possible ++ # to avoid creating too many sessions ++ return None ++ + # Activate timezone handling + tz = request.session.get('django_timezone') + if tz: +@@ -62,14 +73,6 @@ class HorizonMiddleware(object): + + last_activity = request.session.get('last_activity', None) + timestamp = int(time.time()) +- request.horizon = {'dashboard': None, +- 'panel': None, +- 'async_messages': []} +- +- if not hasattr(request, "user") or not request.user.is_authenticated(): +- # proceed no further if the current request is already known +- # not to be authenticated +- return None + + # If we use cookie-based sessions, check that the cookie size does not + # reach the max size accepted by common web browsers. +diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py +index 8a630e9..5ff1fd5 100644 +--- a/openstack_dashboard/views.py ++++ b/openstack_dashboard/views.py +@@ -33,6 +33,4 @@ def splash(request): + if request.user.is_authenticated(): + return shortcuts.redirect(horizon.get_user_home(request.user)) + form = forms.Login(request) +- request.session.clear() +- request.session.set_test_cookie() + return shortcuts.render(request, 'splash.html', {'form': form}) diff -Nru horizon-2014.1.3/debian/patches/series horizon-2014.1.3/debian/patches/series --- horizon-2014.1.3/debian/patches/series 2014-11-11 21:25:59.000000000 +0000 +++ horizon-2014.1.3/debian/patches/series 2014-12-10 11:43:48.000000000 +0000 @@ -6,3 +6,4 @@ 0009_Fix-TypeError-SecurityGroup-object-is-not-iterable-t.patch disable-failed-django-1.7-test.patch Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch +CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch