(RHSA-2014:0939) Moderate: python-django-horizon security, bug fix, and enhancement update

OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.

A cross-site scripting (XSS) flaw was found in the way orchestration
templates were handled. An owner of such a template could use this flaw to
perform XSS attacks against other Horizon users. (CVE-2014-3473)

It was found that network names were not sanitized. A malicious user could
use this flaw to perform XSS attacks against other Horizon users by
creating a network with a specially crafted name. (CVE-2014-3474)

It was found that certain email addresses were not sanitized. An
administrator could use this flaw to perform XSS attacks against other
Horizon users by storing an email address that has a specially crafted
name. (CVE-2014-3475)

Red Hat would like to thank the OpenStack project for reporting these
issues. Upstream acknowledges Jason Hullinger from Hewlett Packard as the
original reporter of CVE-2014-3473, Craig Lorentzen from Cisco as the
original reporter of CVE-2014-3474, and Michael Xin from Rackspace as the
original reporter of CVE-2014-3475.

This update also fixes the following bugs:

• The python-django-horizon package has been updated to upstream version
  2014.1.1. This includes several important bug fixes, including an issue
  that prevented access to Swift pseudo-folders through the Dashboard, and
  an issue that prevented instances from being launched when using the French
  locale (or other locales that use apostrophes). (BZ#1117901)

Lastly, this update also adds the following enhancement:

• A new “Update” option has been added for OpenStack Networking VPNaaS
  support for Dashboard. This makes it easier to use Virtual Private Network
  as a Service (VPNaaS). (BZ#1042030)

All python-django-horizon users are advised to upgrade to these updated
packages, which correct these issues and add this enhancement.