[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
This has been published as OSSN-0054: https://wiki.openstack.org/wiki/OSSN/OSSN-0054 ** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): Won't Fix Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b "sessionid=a;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
** Changed in: horizon Status: New = Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): Won't Fix Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: New Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b sessionid=a; http://HORIZON__IP/auth/login/ /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
We normally don't increase upper bounds on requirements in stable branches. Does horizon 2014.2.x actually work with Django 1.8? If not, is it possible to modify it to work without significant risk of introducing new regressions and behavior changes? This is primarily a concern for people continuously deploying stable/juno from source. Any distributions which packaged 2014.2 will almost certainly have security fixes backported to the release of Django they're shipping rather than upgrading to a later Django release. Anyway, these are conversations which can be had in public now that we won't be disclosing the Django vulnerability by opening this bug report. ** Information type changed from Private Security to Public ** Changed in: ossa Status: Incomplete = Won't Fix ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisories: Won't Fix Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b sessionid=a; http://HORIZON__IP/auth/login/ /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
OSSN seems appropriate for this once we have guidance for a proper approach to mitigating this. ** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b sessionid=a; http://HORIZON__IP/auth/login/ /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp