Bug#772714: unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package python-django-openstack-auth. The upstream patch is a
one liner fixing the DOS on the login page on the side of this lib. Debdiff
attached.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-django-openstack-auth-1.1.6/debian/changelog python-django-openstack-auth-1.1.6/debian/changelog
--- python-django-openstack-auth-1.1.6/debian/changelog 2014-09-29 06:45:50.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/changelog 2014-12-10 12:10:01.000000000 +0000
@@ -1,3 +1,10 @@
+python-django-openstack-auth (1.1.6-5) unstable; urgency=high
+
+ * CVE-2014-8124: Horizon login page contains DOS attack mechanism. Applied
+ upstream patch (Closes: #772712).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 10 Dec 2014 20:07:03 +0800
+
python-django-openstack-auth (1.1.6-4) unstable; urgency=medium
* Add upstream patch fixing FTBFS: fix-tests.patch. Thanks to David Suárez
diff -Nru python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch
--- python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch 1970-01-01 00:00:00.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch 2014-12-10 12:10:01.000000000 +0000
@@ -0,0 +1,27 @@
+Description: Horizon login page contains DOS attack mechanism
+ The horizon login page (and middleware) accesses the session too early in the
+ login process, which will create session records in the session backend. This
+ is especially problematic when non-cookie backends are used.
+Author: eric <eric.peterson1@twcable.com>
+Date: Mon, 8 Dec 2014 23:38:26 +0000 (-0700)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fdjango_openstack_auth.git;a=commitdiff_plain;h=e676c88a329af57d6c4f13df54f6e1e06c1f8360
+Co-Authored-By: Tihomir Trifonov <t.trifonov@gmail.com>
+Co-Authored-By: Eric Peterson <eric.peterson1@twcable.com>
+Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
+Bug-Ubuntu: https://launchpad.net/bugs/1394370
+Bug-Debian: https://bugs.debian.org/772712
+Origin: upstream, https://review.openstack.org/#/c/140352/
+Last-Update: 2014-12-10
+
+diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py
+index 2c8092c..8c1fcee 100644
+--- a/openstack_auth/forms.py
++++ b/openstack_auth/forms.py
+@@ -98,7 +98,6 @@ class Login(django_auth_forms.AuthenticationForm):
+ msg = 'Login failed for user "%(username)s".' % \
+ {'username': username}
+ LOG.warning(msg)
+- self.request.session.flush()
+ raise forms.ValidationError(exc)
+ if hasattr(self, 'check_for_test_cookie'): # Dropped in django 1.7
+ self.check_for_test_cookie()
diff -Nru python-django-openstack-auth-1.1.6/debian/patches/series python-django-openstack-auth-1.1.6/debian/patches/series
--- python-django-openstack-auth-1.1.6/debian/patches/series 2014-09-29 06:45:50.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/patches/series 2014-12-10 12:10:01.000000000 +0000
@@ -1,3 +1,4 @@
0001-Call-django.setup-before-running-tests-for-Django-1..patch
0002-Don-t-call-check_for_test_cookie-with-Django-1.7.patch
fix-tests.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch
Reply to: