horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Debian Bug report logs - #788306
horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 07:37:52 +0200

Source: horizon
Version: 2015.1.0-1
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for horizon.

CVE-2015-3219[0]:
XSS in Horizon Heat stack creation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-3219
[1] http://www.openwall.com/lists/oss-security/2015/06/09/7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 788306@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: 788306@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 09:10:56 +0200

[Message part 1 (text/plain, inline)]

Control: found -1 2014.1.3-1

Hi Salvatore,

On Wed, Jun 10, 2015 at 7:37 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: horizon
> Version: 2015.1.0-1
> Severity: important
> Tags: security upstream fixed-upstream
[...]
> CVE-2015-3219[0]:
> XSS in Horizon Heat stack creation
[...]
> Please adjust the affected versions in the BTS as needed.
 Just checked. The Wheezy version doesn't contain the vulnerable code
segment, but the Jessie version does. Mark the bug accordingly.
In case you may accept, I attach a debdiff for Jessie.

Regards,
Laszlo/GCS

[horizon_2014.1.3-7_to_2014.1.3-7+deb8u1.patch (text/x-diff, attachment)]

Message #17 received at 788306@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 788306@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 10:42:48 +0200

Hey Lazlo,

On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
> Control: found -1 2014.1.3-1
> 
> Hi Salvatore,
> 
> On Wed, Jun 10, 2015 at 7:37 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: horizon
> > Version: 2015.1.0-1
> > Severity: important
> > Tags: security upstream fixed-upstream
> [...]
> > CVE-2015-3219[0]:
> > XSS in Horizon Heat stack creation
> [...]
> > Please adjust the affected versions in the BTS as needed.
>  Just checked. The Wheezy version doesn't contain the vulnerable code
> segment, but the Jessie version does. Mark the bug accordingly.
> In case you may accept, I attach a debdiff for Jessie.

Thanks for the quick followups. Am I right that jessie though is not
affected due to
https://bugs.launchpad.net/horizon/+bug/1453074/comments/13

The field help_text is always escaped already.

Is that right?

Regards,
Salvatore

Message #22 received at 788306@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Debian Security Team <team@security.debian.org>

Cc: 788306@bugs.debian.org

Subject: Re: [PKG-Openstack-devel] Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 12:23:24 +0200

On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
<carnil@debian.org> wrote:
> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
>>  Just checked. The Wheezy version doesn't contain the vulnerable code
>> segment, but the Jessie version does. Mark the bug accordingly.
>> In case you may accept, I attach a debdiff for Jessie.
>
> Thanks for the quick followups. Am I right that jessie though is not
> affected due to
> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13
>
> The field help_text is always escaped already.
>
> Is that right?
 I think the correct answer would be 'it depends'. If you check the
presentation layer when that text used as-is, then yes, it's escaped
there already. On the other hand that text may be used in the code for
addition to other variables that may not be escaped for the
presentation tier. Then the user may have customized his/her
installation that use the mentioned text without escaping. Last but
not least some plugin or other software may also use that text without
filtering. If I think these cases then OpenStack may be vulnerable in
other places that can be harder (but not impossible) to take advantage
of this CVE.
In short, the comment you mention emphasize this: "Juno - ASSUME that
help text is always safe:" (ie, not 100% sure). That can be the reason
upstream has an update for Juno which was merged[1]:
Branch  stable/juno
Status  Merged

I say it's better to be more safe and may escape that string twice
than have a risk of a vulnerability remain in some use cases. But of
course, you are in the position to choose if a DSA is issued or not.

Cheers,
Laszlo/GCS
[1] https://review.openstack.org/#/c/189821/

Message #27 received at 788306@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 788306@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>, "László Böszörményi (GCS)" <gcs@debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 16:26:51 +0200

On 06/10/2015 09:10 AM, László Böszörményi (GCS) wrote:
> Control: found -1 2014.1.3-1
> 
> Hi Salvatore,
> 
> On Wed, Jun 10, 2015 at 7:37 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> Source: horizon
>> Version: 2015.1.0-1
>> Severity: important
>> Tags: security upstream fixed-upstream
> [...]
>> CVE-2015-3219[0]:
>> XSS in Horizon Heat stack creation
> [...]
>> Please adjust the affected versions in the BTS as needed.
>  Just checked. The Wheezy version doesn't contain the vulnerable code
> segment, but the Jessie version does. Mark the bug accordingly.
> In case you may accept, I attach a debdiff for Jessie.
> 
> Regards,
> Laszlo/GCS

Thanks Laszlo for the patch. I have applied it to the debian/icehouse
branch in our Git, and just added the closing of this bug in the
changelog. The resulting package is here:

Full folder:
http://sid.gplhost.com/horizon/

.dsc file:
http://sid.gplhost.com/horizon/horizon_2014.1.3-7+deb8u1.dsc

.debdiff file:
http://sid.gplhost.com/horizon/horizon_2014.1.3-7+deb8u1.debdiff

Right now, I'm applying the fix to Sid and Jessie-backports.

Dear security team, can I upload the above?

Cheers,

Thomas Goirand (zigo)

Message #32 received at 788306@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: Debian Security Team <team@security.debian.org>

Cc: 788306@bugs.debian.org, Debian Security Team <team@security.debian.org>, "László Böszörményi (GCS)" <gcs@debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 17:00:27 +0200

On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote:
> On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
> <carnil@debian.org> wrote:
>> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
>>>  Just checked. The Wheezy version doesn't contain the vulnerable code
>>> segment, but the Jessie version does. Mark the bug accordingly.
>>> In case you may accept, I attach a debdiff for Jessie.
>>
>> Thanks for the quick followups. Am I right that jessie though is not
>> affected due to
>> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13
>>
>> The field help_text is always escaped already.
>>
>> Is that right?
>  I think the correct answer would be 'it depends'. If you check the
> presentation layer when that text used as-is, then yes, it's escaped
> there already. On the other hand that text may be used in the code for
> addition to other variables that may not be escaped for the
> presentation tier. Then the user may have customized his/her
> installation that use the mentioned text without escaping. Last but
> not least some plugin or other software may also use that text without
> filtering. If I think these cases then OpenStack may be vulnerable in
> other places that can be harder (but not impossible) to take advantage
> of this CVE.
> In short, the comment you mention emphasize this: "Juno - ASSUME that
> help text is always safe:" (ie, not 100% sure). That can be the reason
> upstream has an update for Juno which was merged[1]:
> Branch  stable/juno
> Status  Merged
> 
> I say it's better to be more safe and may escape that string twice
> than have a risk of a vulnerability remain in some use cases. But of
> course, you are in the position to choose if a DSA is issued or not.

Hi again,

FYI, I uploaded to Sid:
horizon_2015.1.0+2015.06.09.git15.e63af6c598-1

To Jessie backports:
horizon_2015.1.0+2015.06.09.git15.e63af6c598-1~bpo8+1

and as for Jessie, as per Laszlo patch, its:
horizon_2014.1.3-7+deb8u1

So the Sid and Jessie backports are including the last 15 commits since
the stable release (which are non-security bugfixes). I'll do like this
from now on, as it's a way more easy for me to do so, and because
upstream is currently questioning doing point releases all together.

I don't really mind the DSA, but I would prefer the patch to reach
Jessie through the (faster) security updates.

Cheers,

Thomas Goirand (zigo)

Message #37 received at 788306-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

To: 788306-close@bugs.debian.org

Subject: Bug#788306: fixed in horizon 2015.1.0+2015.06.09.git15.e63af6c598-1

Date: Wed, 10 Jun 2015 16:21:27 +0000

Source: horizon
Source-Version: 2015.1.0+2015.06.09.git15.e63af6c598-1

We believe that the bug you reported is fixed in the latest version of
horizon, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 788306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated horizon package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Jun 2015 16:26:13 +0200
Source: horizon
Binary: python-django-horizon openstack-dashboard openstack-dashboard-apache
Architecture: source all
Version: 2015.1.0+2015.06.09.git15.e63af6c598-1
Distribution: unstable
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
 openstack-dashboard - web application to control an OpenStack cloud
 openstack-dashboard-apache - OpenStack Dashboard - Apache support
 python-django-horizon - Django module providing web interaction with OpenStack
Closes: 788306
Changes:
 horizon (2015.1.0+2015.06.09.git15.e63af6c598-1) unstable; urgency=medium
 .
   * New upstream release (packaging 15th commit since 2015.1.0: e63af6c598):
     - CVE-2015-3219: Fixes XSS in Horizon Heat stack creation (Closes: #788306)
   * Fixed double entry in openstack-dashboard.triggers.
   * Dropped patch applied upstream:
     - Persistent_XSS_in_Horizon_metadata_dashboard.patch
   * Added Build-Conflicts: python-rednose.
   * Standards-Version is now 3.9.6 (no change).
Checksums-Sha1:
 7938d8f2c021156100bdf0fea4f039b459423689 4123 horizon_2015.1.0+2015.06.09.git15.e63af6c598-1.dsc
 b6846917d033d044166f1ac8c73168564c08f9c1 1502652 horizon_2015.1.0+2015.06.09.git15.e63af6c598.orig.tar.xz
 a895968e871ae67315b29ae2c6c2be0cab75a60f 15748 horizon_2015.1.0+2015.06.09.git15.e63af6c598-1.debian.tar.xz
 349fc35b931234a134a42890b97446847778b6c9 10954 openstack-dashboard-apache_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
 f422cceac632a98cce018c9bf5c47e23062a6a01 1608380 openstack-dashboard_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
 b41441cbe2fb4f4eb830474d3b68b75812fbf622 1805328 python-django-horizon_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
Checksums-Sha256:
 961e7e5640d194b3f7975fed8235f21388c8f814304153ee94d067134c9d653e 4123 horizon_2015.1.0+2015.06.09.git15.e63af6c598-1.dsc
 702aa4ab5625396db69b22fbd81e35df6119eb4c974ba891a5b2f38f1e767b7f 1502652 horizon_2015.1.0+2015.06.09.git15.e63af6c598.orig.tar.xz
 b8038849b04a072cce649fcbc94709d750d50aa622a5a09fe9bac85ef3d79134 15748 horizon_2015.1.0+2015.06.09.git15.e63af6c598-1.debian.tar.xz
 243959db4e8b734f6885d904a651f6cedf91b0af83801198093c97f19ff578de 10954 openstack-dashboard-apache_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
 b18ec6a2b61b908aeebc538971a230afacb844a67143e05f566becb689a8d5fc 1608380 openstack-dashboard_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
 656ac1e1da4832c93de373e85919fd43152ea02cbeaf93814cc2ecbd01ec2187 1805328 python-django-horizon_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
Files:
 c27d3f978b303dee11f1327099688c2e 4123 net extra horizon_2015.1.0+2015.06.09.git15.e63af6c598-1.dsc
 865621e2667ea19cea50f5138417596c 1502652 net extra horizon_2015.1.0+2015.06.09.git15.e63af6c598.orig.tar.xz
 24555ab3e2a49003856aa7db532ab96f 15748 net extra horizon_2015.1.0+2015.06.09.git15.e63af6c598-1.debian.tar.xz
 f1ba37c614042b3429dd31fcaf3bb530 10954 net extra openstack-dashboard-apache_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
 0708a56cd6cae6b0bf832fc09fead06f 1608380 net extra openstack-dashboard_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb
 f41ede06c9a1a7e795d0b84f87feba61 1805328 python extra python-django-horizon_2015.1.0+2015.06.09.git15.e63af6c598-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVeE82AAoJENQWrRWsa0P+Tr4P/A9tJP3knveTjqIi5jfWnED/
ZyhyldVXznq3fwdIMtYd1ztMgl7BTg8bWO/hT9K6wBCewHH4Mp4S0x8AwIjTgp1j
77I3j5RTXflviCAfQCV+KBp/oZKd+7vjhMJmDHgoUwQ6dqZg76wXVFIf0RvwgGTg
plwNVkrgCrQepiQQKU7/xBsrpnZPqRx6P3y5Ar6u0djDjE3/k5L28EUmMPxeTakx
vywC8aqECW5lNmaC01pFfq1fbKUWBdLRQVF2xIdWqAbg2slJtr2pD9iu0xpTfKWY
r/ed8EumuhuoaH92gNwzTqDV9G1mzeK/NZWKux2CYk88mYdPsixYLytT/XdzKNIb
gzNY0sRjiZmzMj7jjvh82qXKa9prJYErD3Zd5qYJk18kELINOYx7d0WgMD13BvVm
zZmpn7XBRO63o3NRQ2Diyq9++bZ5DKU5wrUwFarLGv3c+nUprbRnzV7jBqBDW0xk
/P7xQ12HKtR/nmMYJF5SYDHAFl3XmQzvH6/sKelyh9I10UiVFjmvG4v6iTrspvUC
i0oGoey+XsYmtyhL3gDwToumN4OsiyZZjddBVmZTD0seEKqHEzOdBLV+ThQT2jcg
Eu8rLKv+1hDD9WV0kSC//ZHVJOWsBUE1QsRm3dBeB5gN9CveEbRi4nSdOKTjcdH1
pr7r+quZ9U4u1Mel9TeW
=1J6g
-----END PGP SIGNATURE-----

Message #42 received at 788306@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Thomas Goirand <zigo@debian.org>

Cc: Debian Security Team <team@security.debian.org>, 788306@bugs.debian.org, "László Böszörményi (GCS)" <gcs@debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Wed, 10 Jun 2015 23:06:24 +0200

On Wed, Jun 10, 2015 at 05:00:27PM +0200, Thomas Goirand wrote:
> On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote:
> > On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
> > <carnil@debian.org> wrote:
> >> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
> >>>  Just checked. The Wheezy version doesn't contain the vulnerable code
> >>> segment, but the Jessie version does. Mark the bug accordingly.
> >>> In case you may accept, I attach a debdiff for Jessie.
> >>
> >> Thanks for the quick followups. Am I right that jessie though is not
> >> affected due to
> >> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13
> >>
> >> The field help_text is always escaped already.
> >>
> >> Is that right?
> >  I think the correct answer would be 'it depends'. If you check the
> > presentation layer when that text used as-is, then yes, it's escaped
> > there already. On the other hand that text may be used in the code for
> > addition to other variables that may not be escaped for the
> > presentation tier. Then the user may have customized his/her
> > installation that use the mentioned text without escaping. Last but
> > not least some plugin or other software may also use that text without
> > filtering. If I think these cases then OpenStack may be vulnerable in
> > other places that can be harder (but not impossible) to take advantage
> > of this CVE.
> > In short, the comment you mention emphasize this: "Juno - ASSUME that
> > help text is always safe:" (ie, not 100% sure). That can be the reason
> > upstream has an update for Juno which was merged[1]:
> > Branch  stable/juno
> > Status  Merged
> > 
> > I say it's better to be more safe and may escape that string twice
> > than have a risk of a vulnerability remain in some use cases. But of
> > course, you are in the position to choose if a DSA is issued or not.
> 
> Hi again,
> 
> FYI, I uploaded to Sid:
> horizon_2015.1.0+2015.06.09.git15.e63af6c598-1
> 
> To Jessie backports:
> horizon_2015.1.0+2015.06.09.git15.e63af6c598-1~bpo8+1
> 
> and as for Jessie, as per Laszlo patch, its:
> horizon_2014.1.3-7+deb8u1
> 
> So the Sid and Jessie backports are including the last 15 commits since
> the stable release (which are non-security bugfixes). I'll do like this
> from now on, as it's a way more easy for me to do so, and because
> upstream is currently questioning doing point releases all together.
> 
> I don't really mind the DSA, but I would prefer the patch to reach
> Jessie through the (faster) security updates.

I don't think this qualifies for a DSA. We can piggy-back the fix into
a future DSA or fix it through the 8.2 point release.

Cheers,
        Moritz

Message #47 received at 788306@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>

Cc: 788306@bugs.debian.org, "László Böszörményi (GCS)" <gcs@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Thu, 11 Jun 2015 01:01:35 +0200

On 06/10/2015 11:06 PM, Moritz Mühlenhoff wrote:
> On Wed, Jun 10, 2015 at 05:00:27PM +0200, Thomas Goirand wrote:
>> On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote:
>>> On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
>>> <carnil@debian.org> wrote:
>>>> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
>>>>>  Just checked. The Wheezy version doesn't contain the vulnerable code
>>>>> segment, but the Jessie version does. Mark the bug accordingly.
>>>>> In case you may accept, I attach a debdiff for Jessie.
>>>>
>>>> Thanks for the quick followups. Am I right that jessie though is not
>>>> affected due to
>>>> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13
>>>>
>>>> The field help_text is always escaped already.
>>>>
>>>> Is that right?
>>>  I think the correct answer would be 'it depends'. If you check the
>>> presentation layer when that text used as-is, then yes, it's escaped
>>> there already. On the other hand that text may be used in the code for
>>> addition to other variables that may not be escaped for the
>>> presentation tier. Then the user may have customized his/her
>>> installation that use the mentioned text without escaping. Last but
>>> not least some plugin or other software may also use that text without
>>> filtering. If I think these cases then OpenStack may be vulnerable in
>>> other places that can be harder (but not impossible) to take advantage
>>> of this CVE.
>>> In short, the comment you mention emphasize this: "Juno - ASSUME that
>>> help text is always safe:" (ie, not 100% sure). That can be the reason
>>> upstream has an update for Juno which was merged[1]:
>>> Branch  stable/juno
>>> Status  Merged
>>>
>>> I say it's better to be more safe and may escape that string twice
>>> than have a risk of a vulnerability remain in some use cases. But of
>>> course, you are in the position to choose if a DSA is issued or not.
>>
>> Hi again,
>>
>> FYI, I uploaded to Sid:
>> horizon_2015.1.0+2015.06.09.git15.e63af6c598-1
>>
>> To Jessie backports:
>> horizon_2015.1.0+2015.06.09.git15.e63af6c598-1~bpo8+1
>>
>> and as for Jessie, as per Laszlo patch, its:
>> horizon_2014.1.3-7+deb8u1
>>
>> So the Sid and Jessie backports are including the last 15 commits since
>> the stable release (which are non-security bugfixes). I'll do like this
>> from now on, as it's a way more easy for me to do so, and because
>> upstream is currently questioning doing point releases all together.
>>
>> I don't really mind the DSA, but I would prefer the patch to reach
>> Jessie through the (faster) security updates.
> 
> I don't think this qualifies for a DSA. We can piggy-back the fix into
> a future DSA or fix it through the 8.2 point release.
> 
> Cheers,
>         Moritz

Moritz,

Could you please allow me to upload the package to the security FTP,
even without a DSA? Dealing with the release team to update software for
security is often frustrating because it takes too long (because they
are busy, and they often ask for too much).

Cheers,

Thomas Goirand (zigo)

Message #52 received at 788306@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Thomas Goirand <zigo@debian.org>

Cc: 788306@bugs.debian.org, "László Böszörményi (GCS)" <gcs@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: [PKG-Openstack-devel] Bug#788306: Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation

Date: Thu, 11 Jun 2015 18:52:32 +0200

On Thu, Jun 11, 2015 at 01:01:35AM +0200, Thomas Goirand wrote:
> Could you please allow me to upload the package to the security FTP,
> even without a DSA? Dealing with the release team to update software for
> security is often frustrating because it takes too long (because they
> are busy, and they often ask for too much).

No, we can't do that in a stable release.

Cheers,
        Moritz

Send a report that this bug log contains spam.