[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#772719: marked as done (unblock: horizon/2014.1.3-6 CVE-2014-8124 fix)

Your message dated Wed, 10 Dec 2014 13:13:56 +0000
with message-id <5cac190b31ec52ebb15c4a09c8364979@mail.adsl.funky-badger.org>
and subject line Re: Bug#772719: unblock: horizon/2014.1.3-6 CVE-2014-8124 fix
has caused the Debian Bug report #772719,
regarding unblock: horizon/2014.1.3-6 CVE-2014-8124 fix
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772719: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772719
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package horizon. Debdiff attached. See #772710 for details
about this CVE. Debdiff attached.

Cheers,

Thomas Goirand (zigo)

diff -Nru horizon-2014.1.3/debian/changelog horizon-2014.1.3/debian/changelog
--- horizon-2014.1.3/debian/changelog	2014-11-11 21:25:59.000000000 +0000
+++ horizon-2014.1.3/debian/changelog	2014-12-10 11:43:48.000000000 +0000
@@ -1,3 +1,10 @@
+horizon (2014.1.3-6) unstable; urgency=high
+
+  * CVE-2014-8124: Horizon denial of service attack through login page. Applied
+    upstrema patch (Closes: #772710).
+
+ -- Thomas Goirand <zigo@debian.org>  Wed, 10 Dec 2014 19:41:02 +0800
+
 horizon (2014.1.3-5) unstable; urgency=medium
 
   * Purge the /usr/share/openstack-dashboard/openstack_dashboard folder when
diff -Nru horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch
--- horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch	1970-01-01 00:00:00.000000000 +0000
+++ horizon-2014.1.3/debian/patches/CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch	2014-12-10 11:43:48.000000000 +0000
@@ -0,0 +1,61 @@
+Description: Horizon login page contains DOS attack mechanism
+ The horizon login page (really the middleware) accesses the session too early
+ in the login process, which will create session records in the session
+ backend. This is especially problematic when non-cookie backends are used.
+Author: lin-hua-cheng <os.lcheng@gmail.com>
+Date: Tue, 2 Dec 2014 02:16:15 +0000 (-0800)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Bug-Ubuntu: https://launchpad.net/bugs/1394370
+Bug-Debian: https://bugs.debian.org/772710
+Origin: upstream, https://review.openstack.org/#/c/140356/
+Last-Update: 2014-12-10
+
+diff --git a/horizon/middleware.py b/horizon/middleware.py
+index e4b72b2..3cdb36e 100644
+--- a/horizon/middleware.py
++++ b/horizon/middleware.py
+@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
+ 
+     def process_request(self, request):
+         """Adds data necessary for Horizon to function to the request."""
++
++        request.horizon = {'dashboard': None,
++                           'panel': None,
++                           'async_messages': []}
++        if not hasattr(request, "user") or not request.user.is_authenticated():
++            # proceed no further if the current request is already known
++            # not to be authenticated
++            # it is CRITICAL to perform this check as early as possible
++            # to avoid creating too many sessions
++            return None
++
+         # Activate timezone handling
+         tz = request.session.get('django_timezone')
+         if tz:
+@@ -62,14 +73,6 @@ class HorizonMiddleware(object):
+ 
+         last_activity = request.session.get('last_activity', None)
+         timestamp = int(time.time())
+-        request.horizon = {'dashboard': None,
+-                           'panel': None,
+-                           'async_messages': []}
+-
+-        if not hasattr(request, "user") or not request.user.is_authenticated():
+-            # proceed no further if the current request is already known
+-            # not to be authenticated
+-            return None
+ 
+         # If we use cookie-based sessions, check that the cookie size does not
+         # reach the max size accepted by common web browsers.
+diff --git a/openstack_dashboard/views.py b/openstack_dashboard/views.py
+index 8a630e9..5ff1fd5 100644
+--- a/openstack_dashboard/views.py
++++ b/openstack_dashboard/views.py
+@@ -33,6 +33,4 @@ def splash(request):
+     if request.user.is_authenticated():
+         return shortcuts.redirect(horizon.get_user_home(request.user))
+     form = forms.Login(request)
+-    request.session.clear()
+-    request.session.set_test_cookie()
+     return shortcuts.render(request, 'splash.html', {'form': form})
diff -Nru horizon-2014.1.3/debian/patches/series horizon-2014.1.3/debian/patches/series
--- horizon-2014.1.3/debian/patches/series	2014-11-11 21:25:59.000000000 +0000
+++ horizon-2014.1.3/debian/patches/series	2014-12-10 11:43:48.000000000 +0000
@@ -6,3 +6,4 @@
 0009_Fix-TypeError-SecurityGroup-object-is-not-iterable-t.patch
 disable-failed-django-1.7-test.patch
 Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch
+CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch

--- End Message ---
--- Begin Message --- 
On 2014-12-10 12:19, Thomas Goirand wrote:
Please unblock package horizon. Debdiff attached. See #772710 for details 
about this CVE. Debdiff attached.


Unblocked.

Regards,

Adam

--- End Message ---
Reply to: