Red Hat Product Errata RHSA-2016:1272 - Security Advisory

Issued:: 2016-06-21
Updated:: 2016-06-21

RHSA-2016:1272 - Security Advisory

Overview
Updated Packages

Synopsis

Important: python-django-horizon security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

An update for python-django-horizon is now available for Red Hat
Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Description

OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.

The following packages have been upgraded to a newer upstream version:
python-django-horizon: 2015.1.4 (BZ#1345822)

Security Fix(es):

A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed
the affected page. As a result, this flaw could result in user accounts
being compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers
(Virginia Tech) as the original reporters.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 7 x86_64

Fixes

BZ - 1287881 - Heat UI objects are not displayed in the UI
BZ - 1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template

CVEs

CVE-2016-4428

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 7

SRPM
python-django-horizon-2015.1.4-1.el7ost.src.rpm	SHA-256: 99ee169130e212ef71667c667ba54c94718de52b36f6231c35799b2160ddd918
x86_64
openstack-dashboard-2015.1.4-1.el7ost.noarch.rpm	SHA-256: 1e16cd26f3780aff7063b78a7b6cef43d10354d51085ae0b01171226965fa5ff
openstack-dashboard-theme-2015.1.4-1.el7ost.noarch.rpm	SHA-256: 87dd679b985e00c21ac07df71191710f74a3faa5c19fbb7f2395c7a7714dbaad
python-django-horizon-2015.1.4-1.el7ost.noarch.rpm	SHA-256: 6e202ac31e01d62a18c91173b7157f960a233215d087912afdcc879c68169789
python-django-horizon-doc-2015.1.4-1.el7ost.noarch.rpm	SHA-256: f0d4f5c4f566e5173be0b848aa96e7a54ea4ccd040dd5e67404242a348ebfdf2

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories