yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #35158
[Bug 1457551] Re: Another Horizon login page vulnerability to a DoS attack
We normally don't increase upper bounds on requirements in stable
branches. Does horizon 2014.2.x actually work with Django 1.8? If not,
is it possible to modify it to work without significant risk of
introducing new regressions and behavior changes? This is primarily a
concern for people continuously deploying stable/juno from source. Any
distributions which packaged 2014.2 will almost certainly have security
fixes backported to the release of Django they're shipping rather than
upgrading to a later Django release.
Anyway, these are conversations which can be had in public now that we
won't be disclosing the Django vulnerability by opening this bug report.
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1457551
Title:
Another Horizon login page vulnerability to a DoS attack
Status in OpenStack Dashboard (Horizon):
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
This bug is very similar to: https://bugs.launchpad.net/bugs/1394370
Steps to reproduce:
1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL.
2) Run 'for i in {1..100}; do curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal.
I've got 100 rows in django_session after this.
I've used devstack installation just with updated master branch.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions