Candidate: CVE-2014-8124 PublicDate: 2014-12-12 15:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8124 http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html Description: OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page. Ubuntu-Description: Notes: mdeslaur> the fix for CVE-2014-8124 introduced a regression, which is mdeslaur> fixed here: mdeslaur> https://review.openstack.org/#/c/142737/ seth-arnold> The python-django-openstack-auth regression fix is currently only included in the wily package (2015-5-14) -- however, no one has complained and testing hasn't demonstrated any problems. seth-arnold> horizon in precise does not appear to take the operations that auto- instantiated django sessions in the newer releases; it looks safe. Bugs: https://bugs.launchpad.net/horizon/+bug/1394370 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772712 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772710 Priority: medium Discovered-by: Assigned-to: sarnold CVSS: Patches_python-django-openstack-auth: upstream: https://review.openstack.org/140352 upstream_python-django-openstack-auth: released (1.1.6-5) lucid_python-django-openstack-auth: DNE precise_python-django-openstack-auth: DNE trusty_python-django-openstack-auth: not-affected (see notes) trusty/esm_python-django-openstack-auth: DNE (trusty was not-affected [see notes]) utopic_python-django-openstack-auth: not-affected (see notes) vivid_python-django-openstack-auth: not-affected (see notes) devel_python-django-openstack-auth: not-affected (includes regression fix) Patches_horizon: upstream: https://review.openstack.org/140353 (kilo) upstream: https://review.openstack.org/140358 (juno) upstream: https://review.openstack.org/140356 (icehouse) upstream_horizon: released (2014.1.3-6) lucid_horizon: DNE precise_horizon: not-affected (see notes) trusty_horizon: released (1:2014.1.4-0ubuntu2) trusty/esm_horizon: DNE (trusty was released [1:2014.1.4-0ubuntu2]) utopic_horizon: not-affected (1:2014.2.1-0ubuntu2) vivid_horizon: not-affected (1:2015.1~b1-0ubuntu1) devel_horizon: not-affected (1:2015.1~b1-0ubuntu1)