rhsa-2015:0845
Vulnerability from csaf_redhat
Published
2015-04-16 14:27
Modified
2025-03-19 14:03
Summary
Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update
Notes
Topic
Updated python-django-horizon and python-django-openstack-auth packages
that fix one security issue and multiple bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details
OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.
A denial of service flaw was found in the OpenStack Dashboard (horizon)
when using the db or memcached session engine. An attacker could make
repeated requests to the login page, which would result in a large number
of unwanted backend session entries, possibly leading to a denial of
service. (CVE-2014-8124)
Red Hat would like to thank the OpenStack Project for reporting this issue.
Upstream acknowledges Eric Peterson from Time Warner Cable as the original
reporter.
The python-django-horizon packages have been upgraded to upstream version
2014.1.4, which provides a number of bug fixes over the previous version,
including:
* Default 'target={}' value leaks into subsequent 'policy.check()' calls.
* Neutron subnet create tooltip has invalid HTML tags.
* Memory reported improperly in admin dashboard.
* The container dashboard does not handle unicode URL correctly.
(BZ#1203281)
This update also fixes the following bugs:
* The option 'OPENSTACK_SSL_NO_VERIFY' is used to enable or disable checks
for SSL certificate validity. Prior to this update, swift clients ignored
this check. As a result, you could not use horizon with swift, and swift
was accessed via a self signed certificate. With this update, the option is
now handled properly and Horizon is able to use this endpoint while the
'OPENSTACK_SSL_NO_VERIFY' option is enabled. (BZ#1192517)
* Previously, horizon.log was not truncated automatically, resulting in
very large log files. With this update, files are now trimmed by logrotate,
fixing this issue. (BZ#1112621)
All OpenStack Dashboard users are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0845",
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
},
{
"category": "external",
"summary": "1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "1203231",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203231"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0845.json"
}
],
"title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
"tracking": {
"current_release_date": "2025-03-19T14:03:23+00:00",
"generator": {
"date": "2025-03-19T14:03:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.4.1"
}
},
"id": "RHSA-2015:0845",
"initial_release_date": "2015-04-16T14:27:28+00:00",
"revision_history": [
{
"date": "2015-04-16T14:27:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-04-16T14:27:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-03-19T14:03:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product_id": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product_id": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product_id": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product_id": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product_id": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el6ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack Project"
]
},
{
"names": [
"Eric Peterson"
],
"organization": "Time Warner Cable",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-8124",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2014-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1169637"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django-horizon: denial of service via login page requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-8124"
},
{
"category": "external",
"summary": "RHBZ#1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
}
],
"release_date": "2014-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-04-16T14:27:28+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise\nLinux 6.6.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see\nReferences section) contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,\nincluding which channels need to be enabled and disabled.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django-horizon: denial of service via login page requests"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…