Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1569
Imortant: python-django-horizon security, bug fix, and enhancement updates
22 June 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-django-horizon
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Server 7
Linux variants
Solaris
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-4428
Original Bulletin:
https://access.redhat.com/errata/RHSA-2016:1268
https://access.redhat.com/errata/RHSA-2016:1269
https://access.redhat.com/errata/RHSA-2016:1270
https://access.redhat.com/errata/RHSA-2016:1271
https://access.redhat.com/errata/RHSA-2016:1272
Comment: This bulletin contains five (5) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: python-django-horizon security update
Advisory ID: RHSA-2016:1268-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1268
Issue date: 2016-06-21
CVE Names: CVE-2016-4428
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat Enterprise
Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 - noarch
3. Description:
OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
Security Fix(es):
* A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed the
affected page. As a result, this flaw could result in user accounts being
compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)
Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers
(Virginia Tech) as the original reporters.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template
6. Package List:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6:
Source:
python-django-horizon-2014.1.5-4.el6ost.src.rpm
noarch:
openstack-dashboard-2014.1.5-4.el6ost.noarch.rpm
openstack-dashboard-theme-2014.1.5-4.el6ost.noarch.rpm
python-django-horizon-2014.1.5-4.el6ost.noarch.rpm
python-django-horizon-doc-2014.1.5-4.el6ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4428
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXacZ/XlSAg2UNWIIRArS5AJ0TFUgWJRYAcJjUSVAtyBzChtFUQACdGTEl
5SdH0Rb9qG0mu2wkX4/hvwM=
=RD8P
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: python-django-horizon security update
Advisory ID: RHSA-2016:1269-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1269
Issue date: 2016-06-21
CVE Names: CVE-2016-4428
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat Enterprise
Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 - noarch
3. Description:
OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
Security Fix(es):
* A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed the
affected page. As a result, this flaw could result in user accounts being
compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)
Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers
(Virginia Tech) as the original reporters.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template
6. Package List:
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7:
Source:
python-django-horizon-2014.1.5-4.el7ost.src.rpm
noarch:
openstack-dashboard-2014.1.5-4.el7ost.noarch.rpm
openstack-dashboard-theme-2014.1.5-4.el7ost.noarch.rpm
python-django-horizon-2014.1.5-4.el7ost.noarch.rpm
python-django-horizon-doc-2014.1.5-4.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4428
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXacbYXlSAg2UNWIIRAhoQAKDAvZgxmF1Km60dgi/jnQomPRa3aACgn77U
esbz4X8MqgCfrpmIknFANHw=
=PrAk
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: python-django-horizon security update
Advisory ID: RHSA-2016:1270-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1270
Issue date: 2016-06-21
CVE Names: CVE-2016-4428
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat OpenStack
Platform 8.0 (Liberty).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 8.0 (Liberty) - noarch
3. Description:
OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
Security Fix(es):
* A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed the
affected page. As a result, this flaw could result in user accounts being
compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)
Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers
(Virginia Tech) as the original reporters.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template
6. Package List:
Red Hat OpenStack Platform 8.0 (Liberty):
Source:
python-django-horizon-8.0.1-4.el7ost.src.rpm
noarch:
openstack-dashboard-8.0.1-4.el7ost.noarch.rpm
openstack-dashboard-theme-8.0.1-4.el7ost.noarch.rpm
python-django-horizon-8.0.1-4.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4428
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXacfbXlSAg2UNWIIRAvyfAJ9c67dUziP8iq3oycZ4mmUHmWBpzACaA5PS
WHr4VDZ09vFVp56Wv6s2id8=
=15DT
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: python-django-horizon security and bug fix update
Advisory ID: RHSA-2016:1271-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1271
Issue date: 2016-06-21
CVE Names: CVE-2016-4428
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat Enterprise
Linux OpenStack Platform 6.0 (Juno) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 - noarch
3. Description:
OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
Security Fix(es):
* A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed the
affected page. As a result, this flaw could result in user accounts being
compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)
Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers
(Virginia Tech) as the original reporters.
Bug Fix(es):
* Having two security groups with the same name previously resulted in not
being able to launch an instance if it used one of these groups. This bug
has been fixed. (BZ#1293232)
* Previously, under some circumstances, the hypervisor list was not
alphabetized. In this update, the sort attribute has been changed, and
badly sorted lists no longer occur. (BZ#1238092)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1238092 - horizon hypervisor list not ordered alphabetically
1293232 - horizon is using the Security Group name rather than the ID
1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template
6. Package List:
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7:
Source:
python-django-horizon-2014.2.3-9.el7ost.src.rpm
noarch:
openstack-dashboard-2014.2.3-9.el7ost.noarch.rpm
openstack-dashboard-theme-2014.2.3-9.el7ost.noarch.rpm
python-django-horizon-2014.2.3-9.el7ost.noarch.rpm
python-django-horizon-doc-2014.2.3-9.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4428
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXacgSXlSAg2UNWIIRArFEAJ4vEcJDeAkyNjZrznlJ8G5yrbRL3gCfYzQr
WqbP0xDRtxUk/pPSij/OJeg=
=/skb
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: python-django-horizon security, bug fix, and enhancement update
Advisory ID: RHSA-2016:1272-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1272
Issue date: 2016-06-21
CVE Names: CVE-2016-4428
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat
Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 - noarch
3. Description:
OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
The following packages have been upgraded to a newer upstream version:
python-django-horizon: 2015.1.4 (BZ#1345822)
Security Fix(es):
* A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed
the affected page. As a result, this flaw could result in user accounts
being compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)
Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers
(Virginia Tech) as the original reporters.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1287881 - Heat UI objects are not displayed in the UI
1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template
6. Package List:
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7:
Source:
python-django-horizon-2015.1.4-1.el7ost.src.rpm
noarch:
openstack-dashboard-2015.1.4-1.el7ost.noarch.rpm
openstack-dashboard-theme-2015.1.4-1.el7ost.noarch.rpm
python-django-horizon-2015.1.4-1.el7ost.noarch.rpm
python-django-horizon-doc-2015.1.4-1.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-4428
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXachHXlSAg2UNWIIRAhKZAKC6mM0Ub+H7YzWTjT0zejmI01a5vQCfdZKH
DKaxh+sWpegAqcj0hmNlwjg=
=N4+v
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV2nzkox+lLeg9Ub1AQhnSw/9FeDXZhL68cEDFNh6UHEPMrtLrgJCdvCG
cIbzJ5wtNopwnWcR52RkAtarqHBMZGmHWPitn0mD6Gogazx/wo4dXz+KpapE8JOu
vl2LWBijiGAaHIACrpEGAdQAsgBRvP6KSJjbU0kYZyorh+NjINuCU7d0InBbqiyY
EBfQeUZQxXZhtJJ1qxvFkggAYEc0gDa5y1mMMRQqF1px+fqOfKZ1JWK7U+prHH7+
KMMJL8ARC0D2ZewN8Lw+EL8JGwS4K6lw78+u57IPZZK4XNn1Ehns6gHRIV9LHacV
j7/4/Yv4UOmD8FbjQdsRUDdqe1aX49752OtYZuR29sM/y5rzDekgTAqtrFuKWl/0
Y+EuzFoItyGsw9MDbYxHe9Urh5fINW+hEA/PVi1jh0GrSUD7xzISeT7vNhHKVIN+
o9xvBfu/KSAteDV9FvIUgLVL49PQhMP2/hr1AmUkn5EdC2bBDZucg4CGRdZdgj3w
eJ6Xo+NYP+IKXm4wMG+NA3Yy4ufj3217aQ4EbAEuYYFpFgMxvheSGNII9TpXOLsY
+0/p7qHJ9XxVz93aHnACEsIZXjbvRWffRyELH/Zvj0uFpc6wUvfj2N9K6RDwBM4X
Hzr47QeX3DZ1j3DMWXW99z6eCOZoaaVzOS8Dk+PJVP4k9sUlgpSaaBI70yh7vEij
M3HcpxVW9ZY=
=GO9/
-----END PGP SIGNATURE-----