Red Hat Product Errata RHSA-2017:1598 - Security Advisory

Issued:: 2017-06-28
Updated:: 2017-06-28

RHSA-2017:1598 - Security Advisory

Overview
Updated Packages

Synopsis

Low: python-django-horizon security, bug fix, and enhancement update

Type/Severity

Security Advisory: Low

Topic

An update for python-django-horizon is now available for Red Hat OpenStack Platform 10.0 (Newton).

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenStack Dashboard (horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources.

The following packages have been upgraded to a later upstream version: python-django-horizon (10.0.3). (BZ#1432289, BZ#1454330)

Security Fix(es):

A cross-site scripting flaw was discovered in the OpenStack dashboard (horizon) which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard. (CVE-2017-7400)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 10 x86_64

Fixes

BZ - 1408777 - Default admin user from default domain does not have Domains tab in Horizon Web Interface.
BZ - 1414997 - modifying any quota in horizon triggers cinder to update gigabytes = null. Results in horizon error.
BZ - 1427328 - System info tab in horiozon does not display correct version.
BZ - 1432036 - Password revealing icon (eyeball) is in the wrong place
BZ - 1432245 - Cannot create volume from image if cinder v1 service deleted
BZ - 1432289 - Rebase python-django-horizon to 10.0.3
BZ - 1439626 - CVE-2017-7400 python-django-horizon: XSS in federation mappings UI
BZ - 1454330 - Rebase python-django-horizon to 9dda5a

CVEs

CVE-2017-7400

References

https://access.redhat.com/security/updates/classification/#low

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 10

SRPM
python-django-horizon-10.0.3-6.el7ost.src.rpm	SHA-256: 714ee1380a23b00269dcb6ff4af3a537339c01ddfb6e02466fa327abeb577f34
x86_64
openstack-dashboard-10.0.3-6.el7ost.noarch.rpm	SHA-256: 18c9232c0dae7c9503e268a3a666e10834459b3c33fd5489563b6781f0202f58
openstack-dashboard-theme-10.0.3-6.el7ost.noarch.rpm	SHA-256: 1a7da40fd5fe7994362bd04e84bdff6b4d9d2bf5e5aa82a7be69ff28189d1909
python-django-horizon-10.0.3-6.el7ost.noarch.rpm	SHA-256: fd9ea90aac35b9804a81986b4ad98f5ede7e87e18db3cf406ea4430f5e0df457

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories