Debian Bug report logs -
#744019
CVE-2014-0157: XSS in Horizon orchestration dashboard
Reported by: Thomas Goirand <zigo@debian.org>
Date: Wed, 9 Apr 2014 09:21:01 UTC
Severity: important
Found in version horizon/2013.2.2-2
Fixed in version horizon/2013.2.3-1
Done: Thomas Goirand <thomas@goirand.fr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#744019; Package src:horizon.
(Wed, 09 Apr 2014 09:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 09 Apr 2014 09:21:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: horizon
Version: 2013.2.2-2
Severity: important
Reporter: Cristian Fiorentino (Intel)
Products: Horizon
Versions: 2013.2 version up to 2013.2.3
Description:
Cristian Fiorentino from Intel reported a vulnerability in Horizon
Orchestration dashboard. By tricking a Horizon user into using a
malicious template in the Orchestration/Stack section of Horizon, a
remote attacker may trigger a cross-site-scripting vulnerability. It may
result in potential assets theft (Horizon user/admin access credentials,
tenants confidential information, etc.). Only setups exposing the
orchestration dashboard in Horizon are affected.
Note from maintainer:
Patched version is already on its way.
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Wed, 09 Apr 2014 11:51:08 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Apr 2014 11:51:08 GMT) (full text, mbox, link).
Message #10 received at 744019-close@bugs.debian.org (full text, mbox, reply):
Source: horizon
Source-Version: 2013.2.3-1
We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 744019@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Apr 2014 17:14:08 +0800
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache
Architecture: source all
Version: 2013.2.3-1
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
openstack-dashboard - OpenStack Dashboard
openstack-dashboard-apache - OpenStack Dashboard - Apache support
python-django-horizon - Django module providing web interaction with OpenStack
Closes: 744019
Changes:
horizon (2013.2.3-1) unstable; urgency=high
.
* New upstream point release.
* CVE-2014-0157: XSS in Horizon orchestration dashboard. Applying upstream
patch: Introduces_escaping_in_Horizon-Orchestration. (Closes: #744019)
Checksums-Sha1:
a4ba4326ab3a4ef6405cba90a252d520a536d02c 3104 horizon_2013.2.3-1.dsc
79468bbb6956468880dd87a5d7df9aeba61199cb 1171012 horizon_2013.2.3.orig.tar.xz
60cd30753bb17a5b5d83bacff64eeb2614ab7d8f 22136 horizon_2013.2.3-1.debian.tar.xz
8d7d34522c8293695803a46c824752c614ad25e8 873496 python-django-horizon_2013.2.3-1_all.deb
e23095806027fb4d8f2f2a8902425ccd3fcdbc9a 876708 openstack-dashboard_2013.2.3-1_all.deb
d1e84d076144beb7ca0b016426de9521ac877db8 9888 openstack-dashboard-apache_2013.2.3-1_all.deb
Checksums-Sha256:
246dfa9ad047e2d938270d295491a6015d496042ce3cf0b670461b3b14e7fc88 3104 horizon_2013.2.3-1.dsc
48cd1a57d5b52f8ce99a066cf3567ffbb44caea04a245b311560cf63c515d7e9 1171012 horizon_2013.2.3.orig.tar.xz
b238384052b2f7db624119ce476f8000167f3a01d66a3db40815c8333f33248d 22136 horizon_2013.2.3-1.debian.tar.xz
bac8801d57cb63f71bbd757857ab2e4866bbd4e6309c901e9840d6e865251615 873496 python-django-horizon_2013.2.3-1_all.deb
d5e4de8c6c844524a8aa529e44a3ecc9a8a7fe5e03e6c2ba5d23a5461c85e827 876708 openstack-dashboard_2013.2.3-1_all.deb
4071eac47c5bb6c203fd7292a3109b69824dfc8c4bda4f8edbf7f7a2349c68d5 9888 openstack-dashboard-apache_2013.2.3-1_all.deb
Files:
565eb3385a3517cd1f9fd3eb298295f4 3104 net extra horizon_2013.2.3-1.dsc
9ef4d941dcee4a40efe05d3f216cfa39 1171012 net extra horizon_2013.2.3.orig.tar.xz
423efd6d6508270f4fcf2e0c666cad90 22136 net extra horizon_2013.2.3-1.debian.tar.xz
a9a99427ce773340163fb956ec2b6f71 873496 python extra python-django-horizon_2013.2.3-1_all.deb
c1fd3d86235608a40fdcf0f1069fd433 876708 net extra openstack-dashboard_2013.2.3-1_all.deb
5f55df5d8a6db7a93e7d9b737ca6566b 9888 net extra openstack-dashboard-apache_2013.2.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTRTHTAAoJENQWrRWsa0P+j38QAKQ0GlXFCoHvR1VtvR7BUfEl
y4/E6ojlvLe9aD6DEyBIX8VzsothW+6IPFaqQoh68zamszlL4kwVM76MKhTNF1oi
C3WvfC2uZSiJKw91n/A8m6C8sCKejxVIsEvmD4YX9vxYaMTCinBeVHleWmCAVlKZ
bru7AD6ylBOqcfjsAlC7EbaLxObV6is6BDNPDjKi9z8+mlhff5xfnQeRtf4qAJX5
Mlwa+g+v74OqkJ/WKhEcH+RzzjvpprgB/dJEeP0qQwh4iwKT2fzMiMQ/s2ISpx93
+YVX8ZKenXp/QFW9WLhNE4c8pKrM+hxzYP6QiH8F0HUhIKWNQJqZgpaKgywXqRtb
vX4dKNZ6xfEbikFBamzICdl0ZSidKZMTQFTCtGD8h6fr8dPUxC22wF8mpytK3UGS
82C7+tmjKGTz6oD3Fir1Ra7pST918BRL+ZAoanOpFOBOX7kOf8eqyOwhIfovLJFV
gmisX50FKXfvVDxcTgI0Skgj6IW4Lg9Pc8F3EIbH5zqm2iiCkKrn0Vqb3Kcyif49
JAGyKsoDvSGt2il/r9S7qWcsR1TzuVTPEdHbKJcQ0JlML2OsLhAxlpwHEZJmzNHI
fMij7LjQrx29+NjctM76Lh9HYJ87sbDWT2dG8euedR6tzQ2wOPzRl7+sP2iWAWNI
2lg6w+qtD3qjpp5liPkx
=c4Kw
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org.
(Wed, 09 Apr 2014 12:24:04 GMT) (full text, mbox, link).
Message sent on
to Thomas Goirand <zigo@debian.org>:
Bug#744019.
(Wed, 09 Apr 2014 12:24:08 GMT) (full text, mbox, link).
Message #15 received at 744019-submitter@bugs.debian.org (full text, mbox, reply):
tag 744019 pending
thanks
Hello,
Bug #744019 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/wordpress.git;a=commitdiff;h=395b8a4
---
commit 395b8a496702ab1433f1d720c3802d52dd0b13e9
Author: Craig Small <csmall@debian.org>
Date: Wed Apr 9 22:15:44 2014 +1000
Updated upstream to 3.8.2
diff --git a/debian/changelog b/debian/changelog
index 711418c..5ae55cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+wordpress (3.8.1+dfsg1-3) unstable; urgency=high
+
+ * New upstream release Fixes CVE-2014-0165, CVE-2014-0166
+ and Closes: #744019
+
+ -- Craig Small <csmall@debian.org> Wed, 09 Apr 2014 22:13:54 +1000
+
wordpress (3.8.1+dfsg1-2) unstable; urgency=medium
* Updated copyright file Closes: #736514
Reply sent
to Craig Small <csmall@debian.org>:
You have taken responsibility.
(Wed, 09 Apr 2014 13:06:15 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Apr 2014 13:06:15 GMT) (full text, mbox, link).
Message #20 received at 744019-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 3.8.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 744019@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 09 Apr 2014 22:13:54 +1000
Source: wordpress
Binary: wordpress wordpress-l10n wordpress-theme-twentyfourteen wordpress-theme-twentythirteen wordpress-theme-twentytwelve
Architecture: source all
Version: 3.8.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
wordpress - weblog manager
wordpress-l10n - weblog manager - language files
wordpress-theme-twentyfourteen - weblog manager - twentyfourteen theme files
wordpress-theme-twentythirteen - weblog manager - twentythirteen theme files
wordpress-theme-twentytwelve - weblog manager - twentyttwelve theme files
Closes: 744019
Changes:
wordpress (3.8.2+dfsg-1) unstable; urgency=high
.
* New upstream release Fixes CVE-2014-0165, CVE-2014-0166
and Closes: #744019
Checksums-Sha1:
b4250bee8533094bcf35e29b8ea32aca4c0de8b6 2473 wordpress_3.8.2+dfsg-1.dsc
b360f96b860c0421fc9d6f19f8792f92f1ef8552 4604804 wordpress_3.8.2+dfsg.orig.tar.xz
1f2c24e2221707102696df0f8928e1c6ad729ee0 5223036 wordpress_3.8.2+dfsg-1.debian.tar.xz
14355ede3569ff40b4ffc3551102ade1b37376b8 3342070 wordpress_3.8.2+dfsg-1_all.deb
7b9194612309741479ecd09e18c363922cb4bdbf 3729798 wordpress-l10n_3.8.2+dfsg-1_all.deb
57555ee465b69d5c667cf99b65c5dba0a48755f8 752598 wordpress-theme-twentyfourteen_3.8.2+dfsg-1_all.deb
16a66d8526dfc13abdd82b25a47c3745dea408dd 264172 wordpress-theme-twentythirteen_3.8.2+dfsg-1_all.deb
7507ed9385b1b83b3ea5889921b0c4061d425296 383184 wordpress-theme-twentytwelve_3.8.2+dfsg-1_all.deb
Checksums-Sha256:
7f3c5d4dc0fdf9659e7e058c6ba607c7f80c67cdc4973a7eeff11acc26322dd6 2473 wordpress_3.8.2+dfsg-1.dsc
ed66102be27ab50758a140a3eb945468547cc121aeee6c699e4914a07547c853 4604804 wordpress_3.8.2+dfsg.orig.tar.xz
684a34cc34b4acc61fa7dd0a641bf64b9f82d972ce4b86b0d7b7656b65c074d7 5223036 wordpress_3.8.2+dfsg-1.debian.tar.xz
790fa5858cea2aaf4124eb8f663632e3f11c20425f92483f24004c2118dfe012 3342070 wordpress_3.8.2+dfsg-1_all.deb
c54bf626008153d147bdc6866af2a293879d39cbf75e9e01169bff9121cccb11 3729798 wordpress-l10n_3.8.2+dfsg-1_all.deb
e749e19013887bb855a822ee3bc2d391e64197598040d7355801bf1c26facbc4 752598 wordpress-theme-twentyfourteen_3.8.2+dfsg-1_all.deb
cd93fc0e0cdfde044473976a18a691a850a55060ad53309b7b9f070b77d98872 264172 wordpress-theme-twentythirteen_3.8.2+dfsg-1_all.deb
532c30b67690b3c526a0e67c6bc274f80512c1fa5d75db8b2441f0391d593eb2 383184 wordpress-theme-twentytwelve_3.8.2+dfsg-1_all.deb
Files:
7651fd582cce3d8f5bf25021d2ef42cd 2473 web optional wordpress_3.8.2+dfsg-1.dsc
96d54ebcfebab82923311dfb1b797b77 4604804 web optional wordpress_3.8.2+dfsg.orig.tar.xz
906d3abac60c98c2568e4fc576d928a5 5223036 web optional wordpress_3.8.2+dfsg-1.debian.tar.xz
8e82a47adc856fcc27f8a35eabea3538 3342070 web optional wordpress_3.8.2+dfsg-1_all.deb
a5e82822c60894d6ae7447786a34016e 3729798 localization optional wordpress-l10n_3.8.2+dfsg-1_all.deb
199804baad99d26b41886981af552b71 752598 web optional wordpress-theme-twentyfourteen_3.8.2+dfsg-1_all.deb
7eca451c21fa1bd8699ef8f69b9d5b2e 264172 web optional wordpress-theme-twentythirteen_3.8.2+dfsg-1_all.deb
8db70926696badf4af20e7a19b92af58 383184 web optional wordpress-theme-twentytwelve_3.8.2+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTRUC9AAoJEDk4+WvfUP6lwWIP/0zFPw6sLKzY7blPtxRvKMn+
Bc56XB+Kom5b2XrjQWFLEY5fQD7cm63rMN8hYBnxzkqFJ0xzMY29/77Y7DJkAyFm
bsJN6Sr6iNznBFsz66GChSL4dicUD9PysnBQtpr+0oyX4Zr5uyc6neO+iWn+WIVZ
+2aVGgtvmd8HD/wGVRw1DQkvuyxFXrcWErX6fuRK3c+MnIHLcv7UkwKS+DquqbSR
TcaRh6dvKu8RykG6dVJd1D3+J/K58UkD9dwsNFQgwYgRj/c4fW9VPu8pqO45rNfY
QDJzb+yJ2OrKWNN5DB2E6l64rHzh43Dc/AZeibGWGvM0cvqShe6yW9JjKVRT96nI
CRyMgWRxYLlqYdFSc6uhyZWdgUBIy6aIs8EA6tgTLp/ZktBlpcEoQWyoogFKqaM0
8km6tam6xs4DR8E0YOZAXoYnLaI1JWrd5mcdD1GsviZeBlf8ReVJS1zkuXIf3R/3
yJ9yCctBFYbGSGKo/qrU+WYbT8nxr1v22uWBVf8z8Yt2/71FCjHzPy4oKwsKr0TH
BnJyr383jqxccAyiqYFX1F99BqH41p24n9qejmSZ/hucj97VZpc3mkhx41UcDqZf
tEdxtiXrBvMzvy5gM4y8lcZLcAUEc05cKOoF0z1kPtetuAr48dngz4LCyKxGdNAV
FRm6wCDnHminTtYgYQJ7
=KLKV
-----END PGP SIGNATURE-----
Bug reopened
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org.
(Wed, 09 Apr 2014 13:24:08 GMT) (full text, mbox, link).
No longer marked as fixed in versions horizon/2013.2.3-1 and wordpress/3.8.2+dfsg-1.
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org.
(Wed, 09 Apr 2014 13:24:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, PKG OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#744019; Package src:horizon.
(Wed, 09 Apr 2014 17:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to PKG OpenStack <openstack-devel@lists.alioth.debian.org>.
(Wed, 09 Apr 2014 17:00:04 GMT) (full text, mbox, link).
Message #29 received at 744019@bugs.debian.org (full text, mbox, reply):
Craig,
You've been using the wrong bug number. 744019 is for Package:
src:horizon, not for wordpress.
Cheers,
Thomas Goirand (zigo)
Reply sent
to Thomas Goirand <thomas@goirand.fr>:
You have taken responsibility.
(Fri, 02 May 2014 18:33:08 GMT) (full text, mbox, link).
Notification sent
to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer.
(Fri, 02 May 2014 18:33:08 GMT) (full text, mbox, link).
Message #34 received at 744019-done@bugs.debian.org (full text, mbox, reply):
done
Marked as fixed in versions horizon/2013.2.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 May 2014 21:33:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 09 Aug 2014 07:27:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:20:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon