(RHSA-2014:1335) Moderate: python-django-horizon security and bug fix update

ID RHSA-2014:1335
Type redhat
Reporter RedHat
Modified 2018-03-19T16:26:42


OpenStack Dashboard (horizon) provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators.

A persistent cross-site scripting (XSS) flaw was found in the horizon host aggregate interface. A user with sufficient privileges to add a host aggregate could potentially use this flaw to capture the credentials of another user. (CVE-2014-3594)

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for IT-Security, Ruhr-University Bochum as the original reporters.

This update also fixes the following bugs:

  • Prior to this update, the "Create an Image" page rendering was blocked during a file upload. This could cause the browser to disconnect after a certain period of time, especially when uploading large files. With this update, the upload is handled in a separate thread, and large image uploads started via the web dashboard are less likely to time out and fail. (BZ#1089672)

  • Creating a user using keystoneclient could fail because keystoneclient attempted to create a role for the new user when setting up the user. When a role already existed, this operation failed and a new user was not created. This update fixes this bug, and user creation works as expected. (BZ#1094494)

All python-django-horizon users are advised to upgrade to these updated packages, which correct these issues.