(RHSA-2014:1335) Moderate: python-django-horizon security and bug fix update

OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.

A persistent cross-site scripting (XSS) flaw was found in the horizon host
aggregate interface. A user with sufficient privileges to add a host
aggregate could potentially use this flaw to capture the credentials of
another user. (CVE-2014-3594)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Dennis Felsch and Mario Heiderich from the Horst
Görtz Institute for IT-Security, Ruhr-University Bochum as the original
reporters.

This update also fixes the following bugs:

• Prior to this update, the “Create an Image” page rendering was blocked
  during a file upload. This could cause the browser to disconnect after a
  certain period of time, especially when uploading large files. With this
  update, the upload is handled in a separate thread, and large image uploads
  started via the web dashboard are less likely to time out and fail.
  (BZ#1089672)

• Creating a user using keystoneclient could fail because keystoneclient
  attempted to create a role for the new user when setting up the user.
  When a role already existed, this operation failed and a new user was not
  created. This update fixes this bug, and user creation works as expected.
  (BZ#1094494)

All python-django-horizon users are advised to upgrade to these updated
packages, which correct these issues.