[PKG-Openstack-devel] Bug#786741: horizon: CVE-2015-3988: Persistent XSS in Horizon metadata dashboard
Salvatore Bonaccorso
carnil at debian.org
Tue May 26 07:23:02 UTC 2015
Hi Thomas,
On Tue, May 26, 2015 at 09:16:11AM +0200, Thomas Goirand wrote:
> On 05/25/2015 07:36 AM, Salvatore Bonaccorso wrote:
> >Source: horizon
> >Version: 2015.1.0-1
> >Severity: important
> >Tags: security upstream
> >
> >Hi,
> >
> >the following vulnerability was published for horizon.
> >
> >CVE-2015-3988[0]:
> >| Multiple cross-site scripting (XSS) vulnerabilities in OpenStack
> >| Dashboard (Horizon) 2015.1.0 allow remote authenticated users to
> >| inject arbitrary web script or HTML via the metadata to a (1) Glance
> >| image, (2) Nova flavor or (3) Host Aggregate.
> >
> >If you fix the vulnerability please also make sure to include the
> >CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> >For further information see:
> >
> >[0] https://security-tracker.debian.org/tracker/CVE-2015-3988
> >
> >Please adjust the affected versions in the BTS as needed.
> >
> >Regards,
> >Salvatore
>
> Hi,
>
> FYI, I uploaded 2015.1.0-2 to both Sid and Jessie backports.
Thanks, already updated the tracker information.
> I don't believe Jessie is affected (doing a grep within Jessie's code of
> Horizon didn't give any result). So once Horizon migrates to Stretch, the
> issue can be marked as closed everywhere.
Yes, looks right. And from the available information form the advisory
as well 2014.2.x and 2015.1.0 only were affected.
Thanks for your work on this update.
Regards,
Salvatore
More information about the Openstack-devel
mailing list