Security update for openstack-dashboard SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2015:0410-1 Final 1 1 2014-08-28T12:06:29Z current 2014-08-28T12:06:29Z 2014-08-28T12:06:29Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openstack-dashboard This update for openstack-dashboard fixes a cross-site scripting issue on the unordered_list filter. (bnc#891815, CVE-2014-3594) Security Issues: * CVE-2014-3475 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475> The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleclo40sp3-openstack-dashboard Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement//suse-ru-20150410-1/ Link for SUSE-RU-2015:0410-1 https://lists.suse.com/pipermail/sle-updates/2015-March/002712.html E-Mail link for SUSE-RU-2015:0410-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/891815 SUSE Bug 891815 https://bugzilla.suse.com/891904 SUSE Bug 891904 https://bugzilla.suse.com/897815 SUSE Bug 897815 https://bugzilla.suse.com/908199 SUSE Bug 908199 https://bugzilla.suse.com/910008 SUSE Bug 910008 https://bugzilla.suse.com/913692 SUSE Bug 913692 https://www.suse.com/security/cve/CVE-2014-3475/ SUSE CVE CVE-2014-3475 page https://www.suse.com/security/cve/CVE-2014-8124/ SUSE CVE CVE-2014-8124 page SUSE OpenStack Cloud 4 openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1 python-horizon-2014.1.3.dev4.ge53cc81-0.7.1 openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1 as a component of SUSE OpenStack Cloud 4 python-horizon-2014.1.3.dev4.ge53cc81-0.7.1 as a component of SUSE OpenStack Cloud 4 Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578. CVE-2014-3475 SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1 SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-ru-20150410-1/ https://www.suse.com/security/cve/CVE-2014-3475.html CVE-2014-3475 https://bugzilla.suse.com/885588 SUSE Bug 885588 https://bugzilla.suse.com/903666 SUSE Bug 903666 OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page. CVE-2014-8124 SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1 SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-ru-20150410-1/ https://www.suse.com/security/cve/CVE-2014-8124.html CVE-2014-8124 https://bugzilla.suse.com/908199 SUSE Bug 908199