-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: python-django-horizon security update
Advisory ID:       RHSA-2014:1188-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2014:1188.html
Issue date:        2014-09-15
CVE Names:         CVE-2014-3473 CVE-2014-3474 CVE-2014-3475 
                   CVE-2014-3594 
====================================================================
1. Summary:

Updated python-django-horizon packages that fix multiple security issues
are now available for Red Hat Enterprise Linux OpenStack Platform 4.0.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch

3. Description:

OpenStack Dashboard (horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.

A cross-site scripting (XSS) flaw was found in the way orchestration
templates were handled. An owner of such a template could use this flaw to
perform XSS attacks against other Horizon users. (CVE-2014-3473)

It was found that network names were not sanitized. A malicious user could
use this flaw to perform XSS attacks against other Horizon users by
creating a network with a specially crafted name. (CVE-2014-3474)

It was found that certain email addresses were not sanitized. An
administrator could use this flaw to perform XSS attacks against other
Horizon users by storing an email address that has a specially crafted
name. (CVE-2014-3475)

A persistent cross-site scripting (XSS) flaw was found in the horizon host
aggregate interface. A user with sufficient privileges to add a host
aggregate could potentially use this flaw to capture the credentials of
another user. (CVE-2014-3594)

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Jason Hullinger from Hewlett Packard as the
original reporter of CVE-2014-3473, Craig Lorentzen from Cisco as the
original reporter of CVE-2014-3474, Michael Xin from Rackspace as the
original reporter of CVE-2014-3475, and Dennis Felsch and Mario Heiderich
from the Horst GÃ¶rtz Institute for IT-Security, Ruhr-University Bochum as
the original reporter of CVE-2014-3594.

All python-django-horizon users are advised to upgrade to these updated
packages, which correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1116090 - CVE-2014-3473 CVE-2014-3474 CVE-2014-3475 openstack-horizon: multiple XSS flaws
1129774 - CVE-2014-3594 openstack-horizon: persistent XSS in Horizon Host Aggregates interface

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 4.0:

Source:
python-django-horizon-2013.2.3-3.el6ost.src.rpm

noarch:
openstack-dashboard-2013.2.3-3.el6ost.noarch.rpm
openstack-dashboard-theme-2013.2.3-3.el6ost.noarch.rpm
python-django-horizon-2013.2.3-3.el6ost.noarch.rpm
python-django-horizon-doc-2013.2.3-3.el6ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2014-3473.html
https://www.redhat.com/security/data/cve/CVE-2014-3474.html
https://www.redhat.com/security/data/cve/CVE-2014-3475.html
https://www.redhat.com/security/data/cve/CVE-2014-3594.html
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUFn/CXlSAg2UNWIIRAgwtAJ9LrtKZOjNqnG3grUMGTI451ygeZQCfT9Pw
TYIRSQpJljn+eMyyG8++h2E=62sa
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

RedHat: RHSA-2014-1188:01 Moderate: python-django-horizon security update

Updated python-django-horizon packages that fix multiple security issues are now available for Red Hat Enterprise Linux OpenStack Platform 4.0

Summary

OpenStack Dashboard (horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources.
A cross-site scripting (XSS) flaw was found in the way orchestration templates were handled. An owner of such a template could use this flaw to perform XSS attacks against other Horizon users. (CVE-2014-3473)
It was found that network names were not sanitized. A malicious user could use this flaw to perform XSS attacks against other Horizon users by creating a network with a specially crafted name. (CVE-2014-3474)
It was found that certain email addresses were not sanitized. An administrator could use this flaw to perform XSS attacks against other Horizon users by storing an email address that has a specially crafted name. (CVE-2014-3475)
A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. (CVE-2014-3594)
Red Hat would like to thank the OpenStack project for reporting these issues. Upstream acknowledges Jason Hullinger from Hewlett Packard as the original reporter of CVE-2014-3473, Craig Lorentzen from Cisco as the original reporter of CVE-2014-3474, Michael Xin from Rackspace as the original reporter of CVE-2014-3475, and Dennis Felsch and Mario Heiderich from the Horst GÃ¶rtz Institute for IT-Security, Ruhr-University Bochum as the original reporter of CVE-2014-3594.
All python-django-horizon users are advised to upgrade to these updated packages, which correct these issues.

Summary

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

References

https://www.redhat.com/security/data/cve/CVE-2014-3473.html https://www.redhat.com/security/data/cve/CVE-2014-3474.html https://www.redhat.com/security/data/cve/CVE-2014-3475.html https://www.redhat.com/security/data/cve/CVE-2014-3594.html https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat Enterprise Linux OpenStack Platform 4.0:
Source: python-django-horizon-2013.2.3-3.el6ost.src.rpm
noarch: openstack-dashboard-2013.2.3-3.el6ost.noarch.rpm openstack-dashboard-theme-2013.2.3-3.el6ost.noarch.rpm python-django-horizon-2013.2.3-3.el6ost.noarch.rpm python-django-horizon-doc-2013.2.3-3.el6ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package

Severity

Advisory ID: RHSA-2014:1188-01

Product: Red Hat Enterprise Linux OpenStack Platform

Advisory URL: https://access.redhat.com/errata/RHSA-2014:1188.html

Issued Date: : 2014-09-15

CVE Names: CVE-2014-3473 CVE-2014-3474 CVE-2014-3475 CVE-2014-3594

Topic

Updated python-django-horizon packages that fix multiple security issuesare now available for Red Hat Enterprise Linux OpenStack Platform 4.0.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Topic

Relevant Releases Architectures

Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch

Bugs Fixed

1116090 - CVE-2014-3473 CVE-2014-3474 CVE-2014-3475 openstack-horizon: multiple XSS flaws

1129774 - CVE-2014-3594 openstack-horizon: persistent XSS in Horizon Host Aggregates interface

Related News

21.Globe RadiatingCode Esm H320

Overcoming Insider Threats in Open Source Environments

2 - 3 min read

May 08, 2024

The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While

13.Lock StylizedMotherboard Esm H320

Spiral Linux: A Reliable Distribution with Powerful Data Recovery Tool

1 - 2 min read

May 07, 2024

Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In

32.Lock Code Circular Esm H320

PostgreSQL Security Vulns Allow for XSS, MFA Bypass

2 - 3 min read

May 07, 2024

Two critical security vulnerabilities were found in pgAdmin, the open-source administration tool for PostgreSQL . The vulnerabilities assigned

1.Penguin Landscape Esm H320

AlmaLinux 9.4 Reinforces Robust Linux Security

2 - 3 min read

May 07, 2024

The recent release of AlmaLinux 9.4 , closely aligned with Red Hat Enterprise Linux (RHEL) 9.4 , presents Linux admins and infosec professionals

11.Locks IsometricPattern Esm H320

Linux Mint 22 Will Bring XApp Independence, Improved Security, and Compatibility

2 - 3 min read

May 06, 2024

The upcoming release of Linux Mint 22 will introduce significant changes, particularly in handling XApp , GNOME applications, and the Software

2.Motherboard Esm H320

run0, A Safer Alternative to sudo, Introduced in Systemd v256

2 - 3 min read

May 04, 2024

German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns

22.Lock ScreenEffect Esm H320

RHEL 9.4 Improves Security, Tackles Hybrid Cloud Complexity

2 - 3 min read

May 02, 2024

Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to

8.Locks HexConnections CodeGlobe Esm H320

How Debian 12 is Redefining Stability and Innovation in Open-Source OSes

1 - 2 min read

May 01, 2024

The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

News

Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Advisories

Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
HOWTOs

Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Features

Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
About Us

Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Powered By

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

© 2024 Guardian Digital, Inc All Rights Reserved