Bug#772714: marked as done (unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 10 Dec 2014 13:12:39 +0000
with message-id <324a566a79d2e2a551ecb2ff00ec051b@mail.adsl.funky-badger.org>
and subject line Re: Bug#772714: unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
has caused the Debian Bug report #772714,
regarding unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772714: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772714
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
• From: Thomas Goirand <zigo@debian.org>
• Date: Wed, 10 Dec 2014 20:17:32 +0800
• Message-id: <[🔎] 20141210121732.1102.9933.reportbug@buzig.gplhost.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package python-django-openstack-auth. The upstream patch is a
one liner fixing the DOS on the login page on the side of this lib. Debdiff
attached.

Cheers,

Thomas Goirand (zigo)

diff -Nru python-django-openstack-auth-1.1.6/debian/changelog python-django-openstack-auth-1.1.6/debian/changelog
--- python-django-openstack-auth-1.1.6/debian/changelog	2014-09-29 06:45:50.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/changelog	2014-12-10 12:10:01.000000000 +0000
@@ -1,3 +1,10 @@
+python-django-openstack-auth (1.1.6-5) unstable; urgency=high
+
+  * CVE-2014-8124: Horizon login page contains DOS attack mechanism. Applied
+    upstream patch (Closes: #772712).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 10 Dec 2014 20:07:03 +0800
+
 python-django-openstack-auth (1.1.6-4) unstable; urgency=medium
 
   * Add upstream patch fixing FTBFS: fix-tests.patch. Thanks to David Suárez
diff -Nru python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch
--- python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch	2014-12-10 12:10:01.000000000 +0000
@@ -0,0 +1,27 @@
+Description: Horizon login page contains DOS attack mechanism
+ The horizon login page (and middleware) accesses the session too early in the
+ login process, which will create session records in the session backend. This
+ is especially problematic when non-cookie backends are used.
+Author: eric <eric.peterson1@twcable.com>
+Date: Mon, 8 Dec 2014 23:38:26 +0000 (-0700)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fdjango_openstack_auth.git;a=commitdiff_plain;h=e676c88a329af57d6c4f13df54f6e1e06c1f8360
+Co-Authored-By: Tihomir Trifonov <t.trifonov@gmail.com>
+Co-Authored-By: Eric Peterson <eric.peterson1@twcable.com>
+Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
+Bug-Ubuntu: https://launchpad.net/bugs/1394370
+Bug-Debian: https://bugs.debian.org/772712
+Origin: upstream, https://review.openstack.org/#/c/140352/
+Last-Update: 2014-12-10
+
+diff --git a/openstack_auth/forms.py b/openstack_auth/forms.py
+index 2c8092c..8c1fcee 100644
+--- a/openstack_auth/forms.py
++++ b/openstack_auth/forms.py
+@@ -98,7 +98,6 @@ class Login(django_auth_forms.AuthenticationForm):
+             msg = 'Login failed for user "%(username)s".' % \
+                 {'username': username}
+             LOG.warning(msg)
+-            self.request.session.flush()
+             raise forms.ValidationError(exc)
+         if hasattr(self, 'check_for_test_cookie'):  # Dropped in django 1.7
+             self.check_for_test_cookie()
diff -Nru python-django-openstack-auth-1.1.6/debian/patches/series python-django-openstack-auth-1.1.6/debian/patches/series
--- python-django-openstack-auth-1.1.6/debian/patches/series	2014-09-29 06:45:50.000000000 +0000
+++ python-django-openstack-auth-1.1.6/debian/patches/series	2014-12-10 12:10:01.000000000 +0000
@@ -1,3 +1,4 @@
 0001-Call-django.setup-before-running-tests-for-Django-1..patch
 0002-Don-t-call-check_for_test_cookie-with-Django-1.7.patch
 fix-tests.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism.patch

--- End Message ---

--- Begin Message ---

• To: Thomas Goirand <zigo@debian.org>, 772714-done@bugs.debian.org
• Subject: Re: Bug#772714: unblock: python-django-openstack-auth/1.1.6-6: CVE-2014-8124 fix
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Wed, 10 Dec 2014 13:12:39 +0000
• Message-id: <324a566a79d2e2a551ecb2ff00ec051b@mail.adsl.funky-badger.org>
• In-reply-to: <[🔎] 20141210121732.1102.9933.reportbug@buzig.gplhost.com>
• References: <[🔎] 20141210121732.1102.9933.reportbug@buzig.gplhost.com>

On 2014-12-10 12:17, Thomas Goirand wrote:

Please unblock package python-django-openstack-auth. The upstream patch is a one liner fixing the DOS on the login page on the side of this lib. Debdiff

attached.

Unblocked.

Regards,

Adam

--- End Message ---