Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1569 Imortant: python-django-horizon security, bug fix, and enhancement updates 22 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django-horizon Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Linux variants Solaris Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-4428 Original Bulletin: https://access.redhat.com/errata/RHSA-2016:1268 https://access.redhat.com/errata/RHSA-2016:1269 https://access.redhat.com/errata/RHSA-2016:1270 https://access.redhat.com/errata/RHSA-2016:1271 https://access.redhat.com/errata/RHSA-2016:1272 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: python-django-horizon security update Advisory ID: RHSA-2016:1268-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1268 Issue date: 2016-06-21 CVE Names: CVE-2016-4428 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 - noarch 3. Description: OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. Security Fix(es): * A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). (CVE-2016-4428) Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers (Virginia Tech) as the original reporters. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template 6. Package List: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6: Source: python-django-horizon-2014.1.5-4.el6ost.src.rpm noarch: openstack-dashboard-2014.1.5-4.el6ost.noarch.rpm openstack-dashboard-theme-2014.1.5-4.el6ost.noarch.rpm python-django-horizon-2014.1.5-4.el6ost.noarch.rpm python-django-horizon-doc-2014.1.5-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4428 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXacZ/XlSAg2UNWIIRArS5AJ0TFUgWJRYAcJjUSVAtyBzChtFUQACdGTEl 5SdH0Rb9qG0mu2wkX4/hvwM= =RD8P - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: python-django-horizon security update Advisory ID: RHSA-2016:1269-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1269 Issue date: 2016-06-21 CVE Names: CVE-2016-4428 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 - noarch 3. Description: OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. Security Fix(es): * A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). (CVE-2016-4428) Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers (Virginia Tech) as the original reporters. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template 6. Package List: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7: Source: python-django-horizon-2014.1.5-4.el7ost.src.rpm noarch: openstack-dashboard-2014.1.5-4.el7ost.noarch.rpm openstack-dashboard-theme-2014.1.5-4.el7ost.noarch.rpm python-django-horizon-2014.1.5-4.el7ost.noarch.rpm python-django-horizon-doc-2014.1.5-4.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4428 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXacbYXlSAg2UNWIIRAhoQAKDAvZgxmF1Km60dgi/jnQomPRa3aACgn77U esbz4X8MqgCfrpmIknFANHw= =PrAk - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: python-django-horizon security update Advisory ID: RHSA-2016:1270-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1270 Issue date: 2016-06-21 CVE Names: CVE-2016-4428 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat OpenStack Platform 8.0 (Liberty). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 8.0 (Liberty) - noarch 3. Description: OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. Security Fix(es): * A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). (CVE-2016-4428) Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers (Virginia Tech) as the original reporters. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template 6. Package List: Red Hat OpenStack Platform 8.0 (Liberty): Source: python-django-horizon-8.0.1-4.el7ost.src.rpm noarch: openstack-dashboard-8.0.1-4.el7ost.noarch.rpm openstack-dashboard-theme-8.0.1-4.el7ost.noarch.rpm python-django-horizon-8.0.1-4.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4428 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXacfbXlSAg2UNWIIRAvyfAJ9c67dUziP8iq3oycZ4mmUHmWBpzACaA5PS WHr4VDZ09vFVp56Wv6s2id8= =15DT - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: python-django-horizon security and bug fix update Advisory ID: RHSA-2016:1271-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1271 Issue date: 2016-06-21 CVE Names: CVE-2016-4428 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 - noarch 3. Description: OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. Security Fix(es): * A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). (CVE-2016-4428) Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers (Virginia Tech) as the original reporters. Bug Fix(es): * Having two security groups with the same name previously resulted in not being able to launch an instance if it used one of these groups. This bug has been fixed. (BZ#1293232) * Previously, under some circumstances, the hypervisor list was not alphabetized. In this update, the sort attribute has been changed, and badly sorted lists no longer occur. (BZ#1238092) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1238092 - horizon hypervisor list not ordered alphabetically 1293232 - horizon is using the Security Group name rather than the ID 1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template 6. Package List: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7: Source: python-django-horizon-2014.2.3-9.el7ost.src.rpm noarch: openstack-dashboard-2014.2.3-9.el7ost.noarch.rpm openstack-dashboard-theme-2014.2.3-9.el7ost.noarch.rpm python-django-horizon-2014.2.3-9.el7ost.noarch.rpm python-django-horizon-doc-2014.2.3-9.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4428 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXacgSXlSAg2UNWIIRArFEAJ4vEcJDeAkyNjZrznlJ8G5yrbRL3gCfYzQr WqbP0xDRtxUk/pPSij/OJeg= =/skb - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: python-django-horizon security, bug fix, and enhancement update Advisory ID: RHSA-2016:1272-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2016:1272 Issue date: 2016-06-21 CVE Names: CVE-2016-4428 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 - noarch 3. Description: OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. The following packages have been upgraded to a newer upstream version: python-django-horizon: 2015.1.4 (BZ#1345822) Security Fix(es): * A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). (CVE-2016-4428) Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers (Virginia Tech) as the original reporters. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1287881 - Heat UI objects are not displayed in the UI 1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template 6. Package List: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7: Source: python-django-horizon-2015.1.4-1.el7ost.src.rpm noarch: openstack-dashboard-2015.1.4-1.el7ost.noarch.rpm openstack-dashboard-theme-2015.1.4-1.el7ost.noarch.rpm python-django-horizon-2015.1.4-1.el7ost.noarch.rpm python-django-horizon-doc-2015.1.4-1.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4428 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXachHXlSAg2UNWIIRAhKZAKC6mM0Ub+H7YzWTjT0zejmI01a5vQCfdZKH DKaxh+sWpegAqcj0hmNlwjg= =N4+v - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV2nzkox+lLeg9Ub1AQhnSw/9FeDXZhL68cEDFNh6UHEPMrtLrgJCdvCG cIbzJ5wtNopwnWcR52RkAtarqHBMZGmHWPitn0mD6Gogazx/wo4dXz+KpapE8JOu vl2LWBijiGAaHIACrpEGAdQAsgBRvP6KSJjbU0kYZyorh+NjINuCU7d0InBbqiyY EBfQeUZQxXZhtJJ1qxvFkggAYEc0gDa5y1mMMRQqF1px+fqOfKZ1JWK7U+prHH7+ KMMJL8ARC0D2ZewN8Lw+EL8JGwS4K6lw78+u57IPZZK4XNn1Ehns6gHRIV9LHacV j7/4/Yv4UOmD8FbjQdsRUDdqe1aX49752OtYZuR29sM/y5rzDekgTAqtrFuKWl/0 Y+EuzFoItyGsw9MDbYxHe9Urh5fINW+hEA/PVi1jh0GrSUD7xzISeT7vNhHKVIN+ o9xvBfu/KSAteDV9FvIUgLVL49PQhMP2/hr1AmUkn5EdC2bBDZucg4CGRdZdgj3w eJ6Xo+NYP+IKXm4wMG+NA3Yy4ufj3217aQ4EbAEuYYFpFgMxvheSGNII9TpXOLsY +0/p7qHJ9XxVz93aHnACEsIZXjbvRWffRyELH/Zvj0uFpc6wUvfj2N9K6RDwBM4X Hzr47QeX3DZ1j3DMWXW99z6eCOZoaaVzOS8Dk+PJVP4k9sUlgpSaaBI70yh7vEij M3HcpxVW9ZY= =GO9/ -----END PGP SIGNATURE-----