Bug#772719: unblock: horizon/2014.1.3-6 CVE-2014-8124 fix

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#772719: unblock: horizon/2014.1.3-6 CVE-2014-8124 fix
From: Thomas Goirand <zigo@debian.org>
Date: Wed, 10 Dec 2014 20:19:48 +0800
Message-id: <[🔎] 20141210121948.1166.90624.reportbug@buzig.gplhost.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 772719@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package horizon. Debdiff attached. See #772710 for details
about this CVE. Debdiff attached.

Cheers,

Thomas Goirand (zigo)

diff -Nru horizon-2014.1.3/debian/changelog horizon-2014.1.3/debian/changelog
--- horizon-2014.1.3/debian/changelog	2014-11-11 21:25:59.000000000 +0000
+++ horizon-2014.1.3/debian/changelog	2014-12-10 11:43:48.000000000 +0000
@@ -1,3 +1,10 @@
+horizon (2014.1.3-6) unstable; urgency=high
+
+  * CVE-2014-8124: Horizon denial of service attack through login page. Applied
+    upstrema patch (Closes: #772710).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 10 Dec 2014 19:41:02 +0800
+
 horizon (2014.1.3-5) unstable; urgency=medium
 
   * Purge the /usr/share/openstack-dashboard/openstack_dashboard folder when
diff -Nru horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch
--- horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch	1970-01-01 00:00:00.000000000 +0000
+++ horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch	2014-12-10 11:43:48.000000000 +0000
@@ -0,0 +1,61 @@
+Description: Horizon login page contains DOS attack mechanism
+ The horizon login page (really the middleware) accesses the session too early
+ in the login process, which will create session records in the session
+ backend. This is especially problematic when non-cookie backends are used.
+Author: lin-hua-cheng <os.lcheng@gmail.com>
+Date: Tue, 2 Dec 2014 02:16:15 +0000 (-0800)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Bug-Ubuntu: https://launchpad.net/bugs/1394370
+Bug-Debian: https://bugs.debian.org/772710
+Origin: upstream, https://review.openstack.org/#/c/140356/
+Last-Update: 2014-12-10
+
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index e4b72b2..3cdb36e 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
+ 
+     def process_request(self, request):
+         """Adds data necessary for Horizon to function to the request."""
++
++        request.horizon = {'dashboard': None,
++                           'panel': None,
++                           'async_messages': []}
++        if not hasattr(request, "user") or not request.user.is_authenticated():
++            # proceed no further if the current request is already known
++            # not to be authenticated
++            # it is CRITICAL to perform this check as early as possible
++            # to avoid creating too many sessions
++            return None
++
+         # Activate timezone handling
+         tz = request.session.get('django_timezone')
+         if tz:
+@@ -62,14 +73,6 @@ class HorizonMiddleware(object):
+ 
+         last_activity = request.session.get('last_activity', None)
+         timestamp = int(time.time())
+-        request.horizon = {'dashboard': None,
+-                           'panel': None,
+-                           'async_messages': []}
+-
+-        if not hasattr(request, "user") or not request.user.is_authenticated():
+-            # proceed no further if the current request is already known
+-            # not to be authenticated
+-            return None
+ 
+         # If we use cookie-based sessions, check that the cookie size does not
+         # reach the max size accepted by common web browsers.
+diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
+index 8a630e9..5ff1fd5 100644
+--- a/openstack_dashboard/views.py
++++ b/openstack_dashboard/views.py
+@@ -33,6 +33,4 @@ def splash(request):
+     if request.user.is_authenticated():
+         return shortcuts.redirect(horizon.get_user_home(request.user))
+     form = forms.Login(request)
+-    request.session.clear()
+-    request.session.set_test_cookie()
+     return shortcuts.render(request, 'splash.html', {'form': form})
diff -Nru horizon-2014.1.3/debian/patches/series horizon-2014.1.3/debian/patches/series
--- horizon-2014.1.3/debian/patches/series	2014-11-11 21:25:59.000000000 +0000
+++ horizon-2014.1.3/debian/patches/series	2014-12-10 11:43:48.000000000 +0000
@@ -6,3 +6,4 @@
 0009_Fix-TypeError-SecurityGroup-object-is-not-iterable-t.patch
 disable-failed-django-1.7-test.patch
 Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch

Reply to:

Follow-Ups:
- Bug#772719: marked as done (unblock: horizon/2014.1.3-6 CVE-2014-8124 fix)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#772714: unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
Next by Date: Bug#772709: marked as done (unblock: weboob/1.0-2)
Previous by thread: Bug#772714: marked as done (unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix)
Next by thread: Bug#772719: marked as done (unblock: horizon/2014.1.3-6 CVE-2014-8124 fix)
Index(es):
- Date
- Thread