Red Hat Product Errata RHSA-2014:0581 - Security Advisory

Issued:: 2014-05-29
Updated:: 2014-05-29

RHSA-2014:0581 - Security Advisory

Overview
Updated Packages

Synopsis

Low: python-django-horizon security update

Type/Severity

Security Advisory: Low

Topic

Updated python-django-horizon packages that fix one security issue are now
available for Red Hat Enterprise Linux OpenStack Platform 4.0.

The Red Hat Security Response Team has rated this update as having Low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.

A flaw was discovered in OpenStack Dashboard that could allow a remote
attacker to conduct cross-site scripting (XSS) attacks if they were able to
trick a horizon user into using a malicious heat template. Note that only
setups exposing the orchestration dashboard in OpenStack Dashboard were
affected. (CVE-2014-0157)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Cristian Fiorentino from Intel as the original
reporter.

All python-django-horizon users are advised to upgrade to these updated
packages, which correct this issue.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

Red Hat OpenStack 4.0 x86_64

Fixes

BZ - 1082858 - CVE-2014-0157 OpenStack: XSS in Horizon orchestration dashboard when using a malicious template

CVEs

CVE-2014-0157

References

https://access.redhat.com/security/updates/classification/#low

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 4.0

SRPM
python-django-horizon-2013.2.3-1.el6ost.src.rpm	SHA-256: 9816b1430fb106cf0b5cd2106c18aae7bd28d96db36c584ed5c904fd07069cdb
x86_64
openstack-dashboard-2013.2.3-1.el6ost.noarch.rpm	SHA-256: a2d19fc1282cf4bb17a9509f8faf603272b19f20442ba58d8576ac8ef5d3b3fd
openstack-dashboard-theme-2013.2.3-1.el6ost.noarch.rpm	SHA-256: 0166a238a4d9ca8f3ac174d6879306536dacaf7a8ed290fc66e89cf0a09087d5
python-django-horizon-2013.2.3-1.el6ost.noarch.rpm	SHA-256: acaba12b3b0b137b686516e22b91ebe7b33794ed3e82574283944f6c88b572ab
python-django-horizon-doc-2013.2.3-1.el6ost.noarch.rpm	SHA-256: c0fc5af6094d9a998830c3db02cfea3ef3fc40d8bf0be91396bbcd38a9552ad0

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories