[PKG-Openstack-devel] Bug#788306: Bug#788306: Bug#788306: horizon: CVE-2015-3219: XSS in Horizon Heat stack creation
Thomas Goirand
zigo at debian.org
Wed Jun 10 15:00:27 UTC 2015
On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote:
> On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso
> <carnil at debian.org> wrote:
>> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote:
>>> Just checked. The Wheezy version doesn't contain the vulnerable code
>>> segment, but the Jessie version does. Mark the bug accordingly.
>>> In case you may accept, I attach a debdiff for Jessie.
>>
>> Thanks for the quick followups. Am I right that jessie though is not
>> affected due to
>> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13
>>
>> The field help_text is always escaped already.
>>
>> Is that right?
> I think the correct answer would be 'it depends'. If you check the
> presentation layer when that text used as-is, then yes, it's escaped
> there already. On the other hand that text may be used in the code for
> addition to other variables that may not be escaped for the
> presentation tier. Then the user may have customized his/her
> installation that use the mentioned text without escaping. Last but
> not least some plugin or other software may also use that text without
> filtering. If I think these cases then OpenStack may be vulnerable in
> other places that can be harder (but not impossible) to take advantage
> of this CVE.
> In short, the comment you mention emphasize this: "Juno - ASSUME that
> help text is always safe:" (ie, not 100% sure). That can be the reason
> upstream has an update for Juno which was merged[1]:
> Branch stable/juno
> Status Merged
>
> I say it's better to be more safe and may escape that string twice
> than have a risk of a vulnerability remain in some use cases. But of
> course, you are in the position to choose if a DSA is issued or not.
Hi again,
FYI, I uploaded to Sid:
horizon_2015.1.0+2015.06.09.git15.e63af6c598-1
To Jessie backports:
horizon_2015.1.0+2015.06.09.git15.e63af6c598-1~bpo8+1
and as for Jessie, as per Laszlo patch, its:
horizon_2014.1.3-7+deb8u1
So the Sid and Jessie backports are including the last 15 commits since
the stable release (which are non-security bugfixes). I'll do like this
from now on, as it's a way more easy for me to do so, and because
upstream is currently questioning doing point releases all together.
I don't really mind the DSA, but I would prefer the patch to reach
Jessie through the (faster) security updates.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list