CVE-2014-8124: Horizon denial of service attack through login page

Debian Bug report logs - #772710
CVE-2014-8124: Horizon denial of service attack through login page

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2014-8124: Horizon denial of service attack through login page

Date: Wed, 10 Dec 2014 19:38:52 +0800

Package: horizon
Version: 2014.1.3-5
Severity: important
Tags: security patch

Note from maintainer: opening the bug before uploading the fixes.

OpenStack Security Advisory: 2014-040
CVE: CVE-2014-8124
Date: December 09, 2014
Title: Horizon denial of service attack through login page
Reporter: Eric Peterson (Time Warner Cable)
Products: Horizon
Versions: up to 2014.1.3 and 2014.2 version up to 2014.2.1

Description:
Eric Peterson from Time Warner Cable reported a vulnerability in
Horizon. By making repeated requests to the Horizon login page a remote
attacker may generate unwanted session records, potentially resulting in
a denial of service. Only Horizon setups using a db or memcached session
engine are affected.

Kilo (development branch) fix:
https://review.openstack.org/140353

Juno fix:
https://review.openstack.org/140358

Icehouse fix:
https://review.openstack.org/140356

django_openstack_auth fix:
https://review.openstack.org/140352

Notes:
This fix will be included in future 2014.1.3 and 2014.2.1 releases.
The django_openstack_auth Horizon dependency requires the additional
patch above.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124
https://launchpad.net/bugs/1394370

Message #10 received at 772710-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 772710-close@bugs.debian.org

Subject: Bug#772710: fixed in horizon 2014.1.3-6

Date: Wed, 10 Dec 2014 12:19:20 +0000

Source: horizon
Source-Version: 2014.1.3-6

We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772710@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Dec 2014 19:41:02 +0800
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache
Architecture: source all
Version: 2014.1.3-6
Distribution: unstable
Urgency: high
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 openstack-dashboard - OpenStack Dashboard
 openstack-dashboard-apache - OpenStack Dashboard - Apache support
 python-django-horizon - Django module providing web interaction with OpenStack
Closes: 772710
Changes:
 horizon (2014.1.3-6) unstable; urgency=high
 .
   * CVE-2014-8124: Horizon denial of service attack through login page. Applied
     upstrema patch (Closes: #772710).
Checksums-Sha1:
 fcfbf5840940640b96c27b37d5f43a0049da102d 3203 horizon_2014.1.3-6.dsc
 66907e4764b445f5f014e4e51f0881fa1510eb5a 18940 horizon_2014.1.3-6.debian.tar.xz
 1bf84b41cca95464918926f075e731e15e1b7db7 1675982 python-django-horizon_2014.1.3-6_all.deb
 37618304fc28f27d7dd33414f24652b0404ab857 1113990 openstack-dashboard_2014.1.3-6_all.deb
 91da2bd04701e540cbd52741a32bf823e79e56e1 10868 openstack-dashboard-apache_2014.1.3-6_all.deb
Checksums-Sha256:
 1d625c5aeb2dd5d2238bd179b807134329cf19d6175225358b783a6f53cc334c 3203 horizon_2014.1.3-6.dsc
 10cfd9118c23711fd570a490c69bafb8730c5db69b6567e8672f0060d6bf5b42 18940 horizon_2014.1.3-6.debian.tar.xz
 3f8a1d5ac99c42f6b19a8bae5057e75e86c7c4b85d9958c6940e43f8fff9888b 1675982 python-django-horizon_2014.1.3-6_all.deb
 78674411beba5cd17dce4efdedc153fe60141bd9fd7a6b719a6deb934f5e24f1 1113990 openstack-dashboard_2014.1.3-6_all.deb
 06ab2b89b9e26d938e1a0525ebed7fd24535bc21156e2264549afdbc96a7b6c5 10868 openstack-dashboard-apache_2014.1.3-6_all.deb
Files:
 784243632f36356eb770b4d11e2c388b 3203 net extra horizon_2014.1.3-6.dsc
 977ada1add6eaf02c7a496b0edaa0f4f 18940 net extra horizon_2014.1.3-6.debian.tar.xz
 7b67915158675b8c05a4e80f48ee9e5d 1675982 python extra python-django-horizon_2014.1.3-6_all.deb
 9c2afd4f96aa2b4a1f579b9bd0e42471 1113990 net extra openstack-dashboard_2014.1.3-6_all.deb
 442c0b2cc5ce06eb2846c7db1b913dad 10868 net extra openstack-dashboard-apache_2014.1.3-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUiDgpAAoJENQWrRWsa0P+caQP/0a2UryJu+RLmk0YRwoFWVbT
xTtPzj4uNznKJRZiBmxH1/ziEMmv8Ml1bFiDMAwq1e6IjAH+sNAPa9qdmt5U7ix3
BgOXjT5XTBKpkKYjYv7Al1d6GgLthC52Xb4GHPtU9Ixk8XLSW3IzBr45ZbdmO1QE
1YZrQjT5xEbOoEVVQFJ6Us25vlj1/Ue+Gu7KWpk9QigHF2D50lqjf3WMReAnRfZU
qCwiLTIHbp9Eb3ANAefk6Vivjoti4/0pEeHfYwAzTG5UAi1LwNil56u/9BNIzIvp
tAYEr4zJHUMHJ1WKPY0PZdg8mb+i2zK59dejQX27fgfMK7bv0+3/6GhbKxCrynvr
Mf8T6ARl9w8CRlY7s18ZQzsyFDJ2cak1GLxQsBRBzghS7LgkYJQHfIbKJl6i/+Fk
z/Fz8+83saiFK/zPO7npG/b4Syo1dd8qFoKuSOhHqToAsqStDD3mfw/09zymj7EA
rp/2J0Kw4FpfdCxM+fRAwCaJ1X3i/Lvuw1ZFOY3lBDD0w19YKav+M0EDpJzUV6Ov
XWeRqqms4s36cbfru3AGHWJBnHc2qPkrq89tuBTYcmZzrr5IijLMXF6fgHzw7DFU
szMG8jyoUMHlDPEHdTvkmJnuLCea5JJMqRxMZZI5t74B92xoTD8gyu+Swi2r587f
ariU+BR+WMXONNDmCBmY
=zE6f
-----END PGP SIGNATURE-----

Message #15 received at 772710-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 772710-close@bugs.debian.org

Subject: Bug#772710: fixed in horizon 2014.2-3

Date: Wed, 10 Dec 2014 13:04:34 +0000

Source: horizon
Source-Version: 2014.2-3

We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772710@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 10 Dec 2014 19:53:49 +0800
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache
Architecture: source all
Version: 2014.2-3
Distribution: experimental
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 openstack-dashboard - OpenStack Dashboard
 openstack-dashboard-apache - OpenStack Dashboard - Apache support
 python-django-horizon - Django module providing web interaction with OpenStack
Closes: 772710
Changes:
 horizon (2014.2-3) experimental; urgency=medium
 .
   * CVE-2014-8124: Horizon denial of service attack through login page. Applied
     upstream patch (Closes: #772710).
Checksums-Sha1:
 dbe991f0f326691ead04a153a6ba96355e4da8a0 3853 horizon_2014.2-3.dsc
 87b4cc6f43350eeaf7b21b089e8f2e884cf9a146 18760 horizon_2014.2-3.debian.tar.xz
 e2f20e7644ba2d268a8164ffdc07692f1e3be657 1466214 python-django-horizon_2014.2-3_all.deb
 208dceed2bffd73b98228b4b498b42b6714ad48b 1288370 openstack-dashboard_2014.2-3_all.deb
 35c77bb52515e0e68f3464aa29f6d34a1859b89f 10800 openstack-dashboard-apache_2014.2-3_all.deb
Checksums-Sha256:
 e42f01fd1166275f3dd106f00c49bfacc67393b9d06951f6d4907e609c4376f2 3853 horizon_2014.2-3.dsc
 e158dd717f17fb2121ad871ac1bc4da324dec8b66e7d0ae54f0987e25fdbcaf5 18760 horizon_2014.2-3.debian.tar.xz
 435d25069569d543a02eb0384a1cffa4e2790f37e5a99465ec667bb234bfa2cc 1466214 python-django-horizon_2014.2-3_all.deb
 c652c13528028d4bfd2a842c2e08f950e89d695a60a0009eda2092c6156b0705 1288370 openstack-dashboard_2014.2-3_all.deb
 d7d598cfce0d6f505fd24a5409fef6a4bbe6859bd42f2b5b16e2545960f124c6 10800 openstack-dashboard-apache_2014.2-3_all.deb
Files:
 a45d20b1d77e6260e4769d7e6ffb7e10 3853 net extra horizon_2014.2-3.dsc
 2241a0323a829b355130be1d86923051 18760 net extra horizon_2014.2-3.debian.tar.xz
 3a25611bb0e081c7180163df92e368e3 1466214 python extra python-django-horizon_2014.2-3_all.deb
 1c5bd9c96b6a98a9545978f4cc8d413c 1288370 net extra openstack-dashboard_2014.2-3_all.deb
 88cdf62ebbbe0ea25651fa2f641966dc 10800 net extra openstack-dashboard-apache_2014.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUiERAAAoJENQWrRWsa0P+4kwQAJOeuLU1NFfuakP9tGspVyYv
ujxBfjvVivYBqgz0Qz9ce8vVpiqWFStJsYXd6BqeOdB7IIW/1BXAuXTdVqA0+MI1
K7okJCk4YGI4Cv+tp6qVp9cm5sPboWGBvupGW5slpjwLMDTDjoHTNe2COsLX5+NZ
uPKj9mYJwL14UMI9OV/FAb2KtZV1Rf0whyk95vTkrsrjE4VCN5MgTU3gow6LF7wp
jD5kUo/3rjwJaw8pgi20BfDX0u/iFJqrCzZStT/ffdDo+vBWJ7gWrbk60TXmOduB
HjgdbAYrzfRdlfveV6cMZjKnv4VZ1qJ8tkZY6stFkx9EmO4BjyXs+RniHDbYxI7X
YF5SK+iMDf0JhfPNAHn4Er0ngV9UZPwV8FqFFD+T8BzGzEroDRleijBbxEnclgWM
rO4WIGU+s21rIJ2bwSx58xaEXsRzpGXowiGRZveHuUT1Xua8FvRBuJ2yWO48+cWc
VzJhH76zdSQNGOsULdUsPMRs0gydlVtPkzgk/29ShDtQ9b1R+hBebLIoKbhuOTri
HlrU8OXUWRQa39eZvO7P9tiE3vhJUZ1NRTd8eW0ceY1GioZfRSG6slWkqCimHSqd
yRrqZXPgkD7MoApB8c25IR8POVTvX0FaBMFUKTTDWqmpinKgG07EfYgkfK6ZbwCW
HZOcx1GyQxhEAKzD/jBy
=fJUA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.