Finalize fix for CVE-2014-8124
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Committed
|
Critical
|
Paul Karikh | ||
5.1.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
6.0.x |
Fix Released
|
Critical
|
Alexey Khivin | ||
6.1.x |
Fix Released
|
Critical
|
Paul Karikh |
Bug Description
We need to push fix for https:/
Mike Scherbakov (mihgen) wrote : | #1 |
Dmitry Mescheryakov (dmitrymex) wrote : | #2 |
Mike: yep, you are right. Corrected the milestone.
Timur Sufiev (tsufiev-x) wrote : | #3 |
Opening since it's opened in upstream: https:/
information type: | Private Security → Public Security |
OSCI Robot (oscirobot) wrote : | #4 |
DEB package python-
Package version == 1.1.7, package release == ubuntu3
Changeset: https:/
project: packages/
branch: master
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism the horizon login page (and middleware) accesses the session too early in the login process, which will create session records in the session backend. This is especially problematic when non-cookie backend
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
Alexey Khivin (akhivin) wrote : | #5 |
https:/
https:/
OSCI Robot (oscirobot) wrote : | #6 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #7 |
DEB package python-
Package version == 1.1.7, package release == ubuntu3
Changeset: https:/
project: packages/
branch: master
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #8 |
DEB package python-
Package version == 1.1.7, package release == ubuntu5
Changeset: https:/
project: packages/
branch: 6.0.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #9 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.0.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #10 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #11 |
DEB package python-
Package version == 1.1.7, package release == ubuntu4
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #12 |
RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.
Changeset: https:/
project: openstack/horizon
branch: openstack-
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
openstack-
openstack-
python-
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #13 |
DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.
Changeset: https:/
project: openstack/horizon
branch: openstack-
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
openstack-
openstack-
python-
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #14 |
RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira9
Changeset: https:/
project: openstack/horizon
branch: openstack-
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
openstack-
openstack-
python-
python-
Changeset merged. Package placed on primary repository
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #15 |
DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira7
Changeset: https:/
project: openstack/horizon
branch: openstack-
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
openstack-
openstack-
python-
python-
Changeset merged. Package placed on primary repository
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #16 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #18 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #20 |
DEB package python-
Package version == 1.1.7, package release == ubuntu5
Changeset: https:/
project: packages/
branch: 6.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #21 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #22 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #23 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #24 |
DEB package python-
Package version == 1.1.7, package release == ubuntu4
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #25 |
DEB package python-
Package version == 1.1.7, package release == ubuntu3
Changeset: https:/
project: packages/
branch: master
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #26 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.0.1
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #27 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 5.1.2
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
Alexey Khivin (akhivin) wrote : | #28 |
As I understood Timur decided to fix this by himself in the latest branches
Timur Sufiev (tsufiev-x) wrote : | #29 |
In master branch it will be fixed by switching to django-
OSCI Robot (oscirobot) wrote : | #30 |
DEB package python-
Package version == 1.1.9, package release == ubuntu5
Changeset: https:/
project: packages/
branch: 6.1
author: Max Yatsenko
committer: Max Yatsenko
subject: Update \"python-
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #32 |
DEB package python-
Package version == 1.1.9, package release == ubuntu5
Changeset: https:/
project: packages/
branch: 6.1
author: Max Yatsenko
committer: Max Yatsenko
subject: Update \"python-
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
DEB repository URL: http://
Timur Sufiev (tsufiev-x) wrote : | #33 |
Since the requests https:/
OSCI Robot (oscirobot) wrote : | #34 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #35 |
DEB package python-
Package version == 1.1.7, package release == ubuntu1
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #36 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #37 |
DEB package python-
Package version == 1.1.7, package release == ubuntu1
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #38 |
DEB package python-
Package version == 1.1.7, package release == ubuntu5
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: patchset-created
Files placed on repository:
python-
NOTE: Changeset is not merged, created temporary package repository.
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #39 |
RPM package python-
Package version == 1.1.7, package release == 1
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #40 |
DEB package python-
Package version == 1.1.7, package release == ubuntu5
Changeset: https:/
project: packages/
branch: 6.0-updates
author: Alex Khivin
committer: Alex Khivin
subject: Horizon login page contains DOS attack mechanism
status: change-merged
Files placed on repository:
python-
Changeset merged. Package placed on primary repository
DEB repository URL: http://
OSCI Robot (oscirobot) wrote : | #41 |
RPM package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2.mira10
Changeset: https:/
project: openstack/horizon
branch: openstack-
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged
Files placed on repository:
openstack-
openstack-
python-
python-
Changeset merged. Package placed on primary repository
RPM repository URL: http://
OSCI Robot (oscirobot) wrote : | #42 |
DEB package horizon has been built for project openstack/horizon
Package version == 2014.1.3, package release == fuel5.1.2~mira8
Changeset: https:/
project: openstack/horizon
branch: openstack-
author: Alex Ermolov
committer: Alex Ermolov
subject: Fix web-server memory overrun when downloading objects from Swift
status: change-merged
Files placed on repository:
openstack-
openstack-
python-
python-
Changeset merged. Package placed on primary repository
DEB repository URL: http://
Paul Karikh (pkarikh) wrote : | #43 |
on verification
Paul Karikh (pkarikh) wrote : | #44 |
Looks like this bug is still valid for 6.1.
Mike Scherbakov (mihgen) wrote : | #45 |
Folks, please provide an update on this one here.
Paul Karikh (pkarikh) wrote : | #46 |
We've desided that it is a new bug. We've created new MOS bug here: https:/
All updates are there.
For this bug we are setting `Fix commited`.
Timur Sufiev (tsufiev-x) wrote : | #47 |
Additional clarification: we consider this one as 'Fix Committed' because the upstream CVE was applied correctly, yet it haven't received all the problems. For their solution, see bug 1459628.
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/horizon (openstack-ci/fuel-5.1.1-updates/2014.1.1) | #48 |
Fix proposed to branch: openstack-
Change author: Alex Khivin <email address hidden>
Review: https:/
Timur Nurlygayanov (tnurlygayanov) wrote : | #49 |
Could anybody confirm that it was successfully fixed in MOS 6.1 and change the status to Fix Released?
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/horizon (openstack-ci/fuel-5.1.1-updates/2014.1.1) | #50 |
Reviewed: https:/
Submitter: mos-infra-ci <>
Branch: openstack-
Commit: 818be3655070187
Author: Alexey Khivin <email address hidden>
Date: Tue Jul 14 16:37:48 2015
Horizon login page contains DOS attack mechanism
the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend. This is especially problematic when non-cookie
backends are used.
After speaking with Eric Peterson in IRC private we agreed that line
`response.
openstack_
was just a clean-up).
Change-Id: I0aeb98da8e9a21
Closes-Bug: #1398893
Closes-Bug: #1399271
(cherry picked from commit ec33d56d4fd93cc
Didn't we decide to Won't fix it in 5.1.1?