Bug#859559: marked as done (horizon: CVE-2017-7400: XSS in federation mappings UI)

[Debian Bug Tracking System]

Your message dated Tue, 04 Apr 2017 23:04:06 +0000
with message-id <e1cvxuc-0002ir...@fasolo.debian.org>
and subject line Bug#859559: fixed in horizon 3:10.0.1-1
has caused the Debian Bug report #859559,
regarding horizon: CVE-2017-7400: XSS in federation mappings UI
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859559: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859559
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: horizon
Version: 3:10.0.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://bugs.launchpad.net/horizon/+bug/1667086

Hi,

the following vulnerability was published for horizon.

CVE-2017-7400[0]:
| OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0
| allows remote authenticated administrators to conduct XSS attacks via a
| crafted federation mapping.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7400
[1] https://bugs.launchpad.net/horizon/+bug/1667086

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: horizon
Source-Version: 3:10.0.1-1

We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated horizon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Apr 2017 23:47:20 +0200
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache 
horizon-doc
Architecture: source all
Version: 3:10.0.1-1
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-de...@lists.alioth.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
 horizon-doc - web application to control an OpenStack cloud - doc
 openstack-dashboard - web application to control an OpenStack cloud
 openstack-dashboard-apache - web application to control an OpenStack cloud - 
Apache support
 python-django-horizon - Django module providing web interaction with OpenStack
Closes: 846931 859559
Changes:
 horizon (3:10.0.1-1) unstable; urgency=high
 .
   [ Ivan Udovichenko ]
   * Sync to the latest version from stable/newton.
 .
   [ Thomas Goirand ]
   * CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch:
     Remove dangerous safestring declaration (Closes: #859559).
   * Updated Italian translation of debconf messages (Closes: #846931).
Checksums-Sha1:
 9cba451018f9f0be59c7770d9921aac126985976 4441 horizon_10.0.1-1.dsc
 261e08ba07e0bfdf944522a8300b75dc8844904f 2437216 horizon_10.0.1.orig.tar.xz
 9c8765f9a13ae0898cada0b44cca90c1df3d5beb 26036 horizon_10.0.1-1.debian.tar.xz
 a75cdfd15378d297eeec272203c308707082244a 1382524 horizon-doc_10.0.1-1_all.deb
 23566d345dd9b09e0f0d07e2c387a3c6605140a4 16875 horizon_10.0.1-1_amd64.buildinfo
 d2b3e7b1cf8e335eaf84b13dd9c1967daca9c584 13988 
openstack-dashboard-apache_10.0.1-1_all.deb
 20545adc9a02c0bc2abad97f88b23532b7ddf010 2652626 
openstack-dashboard_10.0.1-1_all.deb
 0ca1634810118ed8a8aa0d017eb750029749931e 2224626 
python-django-horizon_10.0.1-1_all.deb
Checksums-Sha256:
 0f27a46ebed0ef41314bf174f1728f644b0b810b9fa4e38e9420bfc08f4746eb 4441 
horizon_10.0.1-1.dsc
 2e2e00a62968f290e78befb08867d808e869146a73323f824bf07e2a3507694c 2437216 
horizon_10.0.1.orig.tar.xz
 b6876503adce5e84f4dea75883d556d9ea7dda8086fa5c46a992f1841e0ff44c 26036 
horizon_10.0.1-1.debian.tar.xz
 25576ba986a0950ea6026386ec98f9bc000f657baee755b963cee9e28dea6e34 1382524 
horizon-doc_10.0.1-1_all.deb
 4a1e3282a052345e6faac0f2634f3222acbdf8d5f3cd8883e038c36ff4c76f22 16875 
horizon_10.0.1-1_amd64.buildinfo
 a913480908a74da107d3a9bb6ae4ebe2413ffa96ac6484c54496241fa47ea1c1 13988 
openstack-dashboard-apache_10.0.1-1_all.deb
 9ab6bc207920953a1b97b0e7ae9a74abd2aa0f3bc2c106eec5c09c8baea8979a 2652626 
openstack-dashboard_10.0.1-1_all.deb
 6327640ac9e2fd4c19e76191332eefc403ef75e41139eff646ef1248f3e7d4ce 2224626 
python-django-horizon_10.0.1-1_all.deb
Files:
 1fd9534d07bb1c96dd35b57ae0bfe3fa 4441 net extra horizon_10.0.1-1.dsc
 6c92dd2298b5ebc46efdd615499eba2a 2437216 net extra horizon_10.0.1.orig.tar.xz
 b03db89b3ff21319cabb469330d563c6 26036 net extra horizon_10.0.1-1.debian.tar.xz
 1e584723b68e42efba71a622df79d068 1382524 doc extra horizon-doc_10.0.1-1_all.deb
 a992f741bd258152c623cb3024a36631 16875 net extra 
horizon_10.0.1-1_amd64.buildinfo
 7c7499904823dd9354fea9d85b39e0f5 13988 net extra 
openstack-dashboard-apache_10.0.1-1_all.deb
 711211e388f9acd1e3c56c393ce9c852 2652626 net extra 
openstack-dashboard_10.0.1-1_all.deb
 edc0ef40ab99752d38dc6b5f31ad0367 2224626 python extra 
python-django-horizon_10.0.1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAljkIn8ACgkQ1BatFaxr
Q/6xyg/7Bia3jOFYtQrMufHEbcgnnOAzmr1ZEYxkgZ0fHk5TAdAa3gcpTPIgTkZZ
yqOK4E0w1PTnkf82UqA2NhcFou8P5XGxifTxqCeqOGMOJlDRrrgnfjPdKIfZP7oo
qK39v+GQEMReKPiJ5kgCZiQ1bUR6D6Eut8JyC7BU81pLrhbFeBRcHGcNIdmi6LgR
BdM7gaNnabgsb2g4+Kd8xKj2JJI00q5r8OsgFCsjO3G4WGG4zdwsvhoWn+uNYQtm
PElzryXWjeJ8bL87ikraH0OdR9tMfJFWDTBjYQDgtkIcKHLXBDbSuCWgesADvNea
/LVC/AmgTy0uJtgAWem0hWiXAjprRM6OfOxwmhJSFO2tPVaqPDryOtrlPaT0GF/h
NRZbm/MRD4624oTs4PENtYE6/F8UaFxIyBj/+X1tSCPA0Eay8jOibAcX+BsVfXHu
1FZdY5bZ1VR0YKVSkwd1gySRqYKRsiA1IwXSyPhbsx4mAV2e7w/LduXYcynIvzF/
1m4ZiPJur1cJSto9jasYfjIAEDyiUKU8hWSqQ+P+Yzc2ElY5OTU8wSnRt9VHh1Nh
c5GbtZFt56jVTfUkL7agEt32HAWcFDMrKuelv3xCOYb48EUyoD+ugKXSlXQFABWi
/3fuZ6tNL768tpTRUIeMJUpwHUUq6ySKzNPhhybKcSur41LIFPo=
=3+7e
-----END PGP SIGNATURE-----

--- End Message ---