[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
This has been published as OSSN-0054:
https://wiki.openstack.org/wiki/OSSN/OSSN-0054
** Changed in: ossn
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1457551
Title:
Another Horizon login page vulnerability to a DoS attack
Status in OpenStack Dashboard (Horizon):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
This bug is very similar to: https://bugs.launchpad.net/bugs/1394370
Steps to reproduce:
1) Setup Horizon to use db as session engine (using this doc:
http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html).
I've used MySQL.
2) Run 'for i in {1..100}; do curl -b "sessionid=a;"
http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal.
I've got 100 rows in django_session after this.
I've used devstack installation just with updated master branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
** Changed in: horizon
Status: New = Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1457551
Title:
Another Horizon login page vulnerability to a DoS attack
Status in OpenStack Dashboard (Horizon):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
This bug is very similar to: https://bugs.launchpad.net/bugs/1394370
Steps to reproduce:
1) Setup Horizon to use db as session engine (using this doc:
http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html).
I've used MySQL.
2) Run 'for i in {1..100}; do curl -b sessionid=a;
http://HORIZON__IP/auth/login/ /dev/null; done' from your terminal.
I've got 100 rows in django_session after this.
I've used devstack installation just with updated master branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
We normally don't increase upper bounds on requirements in stable
branches. Does horizon 2014.2.x actually work with Django 1.8? If not,
is it possible to modify it to work without significant risk of
introducing new regressions and behavior changes? This is primarily a
concern for people continuously deploying stable/juno from source. Any
distributions which packaged 2014.2 will almost certainly have security
fixes backported to the release of Django they're shipping rather than
upgrading to a later Django release.
Anyway, these are conversations which can be had in public now that we
won't be disclosing the Django vulnerability by opening this bug report.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete = Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1457551
Title:
Another Horizon login page vulnerability to a DoS attack
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
This bug is very similar to: https://bugs.launchpad.net/bugs/1394370
Steps to reproduce:
1) Setup Horizon to use db as session engine (using this doc:
http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html).
I've used MySQL.
2) Run 'for i in {1..100}; do curl -b sessionid=a;
http://HORIZON__IP/auth/login/ /dev/null; done' from your terminal.
I've got 100 rows in django_session after this.
I've used devstack installation just with updated master branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
OSSN seems appropriate for this once we have guidance for a proper
approach to mitigating this.
** Also affects: ossn
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1457551
Title:
Another Horizon login page vulnerability to a DoS attack
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
This bug is very similar to: https://bugs.launchpad.net/bugs/1394370
Steps to reproduce:
1) Setup Horizon to use db as session engine (using this doc:
http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html).
I've used MySQL.
2) Run 'for i in {1..100}; do curl -b sessionid=a;
http://HORIZON__IP/auth/login/ /dev/null; done' from your terminal.
I've got 100 rows in django_session after this.
I've used devstack installation just with updated master branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
