-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: python-django-horizon security, bug fix, and enhancement update
Advisory ID:       RHSA-2016:1272-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:1272
Issue date:        2016-06-21
CVE Names:         CVE-2016-4428 
====================================================================
1. Summary:

An update for python-django-horizon is now available for Red Hat
Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 - noarch

3. Description:

OpenStack Dashboard (Horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.

The following packages have been upgraded to a newer upstream version:
python-django-horizon: 2015.1.4 (BZ#1345822)

Security Fix(es):

* A DOM-based, cross-site scripting vulnerability was found in the
OpenStack dashboard, where user input was not filtered correctly. An
authenticated dashboard user could exploit the flaw by injecting an
AngularJS template into a dashboard form (for example, using an image's
description), triggering the vulnerability when another user browsed
the affected page. As a result, this flaw could result in user accounts
being compromised (for example, user-access credentials being stolen).
(CVE-2016-4428)

Red Hat would like to thank the OpenStack project for reporting this issue.
Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers(Virginia Tech) as the original reporters.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1287881 - Heat UI objects are not displayed in the UI
1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7:

Source:
python-django-horizon-2015.1.4-1.el7ost.src.rpm

noarch:
openstack-dashboard-2015.1.4-1.el7ost.noarch.rpm
openstack-dashboard-theme-2015.1.4-1.el7ost.noarch.rpm
python-django-horizon-2015.1.4-1.el7ost.noarch.rpm
python-django-horizon-doc-2015.1.4-1.el7ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-4428
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXachHXlSAg2UNWIIRAhKZAKC6mM0Ub+H7YzWTjT0zejmI01a5vQCfdZKH
DKaxh+sWpegAqcj0hmNlwjg=N4+v
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

RedHat: RHSA-2016-1272:01 Important: python-django-horizon security, bug fix,

An update for python-django-horizon is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Summary

OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources.
The following packages have been upgraded to a newer upstream version: python-django-horizon: 2015.1.4 (BZ#1345822)
Security Fix(es):
* A DOM-based, cross-site scripting vulnerability was found in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form (for example, using an image's description), triggering the vulnerability when another user browsed the affected page. As a result, this flaw could result in user accounts being compromised (for example, user-access credentials being stolen). (CVE-2016-4428)
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Beth Lancaster (Virginia Tech) and Brandon Sawyers(Virginia Tech) as the original reporters.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2016-4428 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7:
Source: python-django-horizon-2015.1.4-1.el7ost.src.rpm
noarch: openstack-dashboard-2015.1.4-1.el7ost.noarch.rpm openstack-dashboard-theme-2015.1.4-1.el7ost.noarch.rpm python-django-horizon-2015.1.4-1.el7ost.noarch.rpm python-django-horizon-doc-2015.1.4-1.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2016:1272-01
Product: Red Hat Enterprise Linux OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1272
Issued Date: : 2016-06-21
CVE Names: CVE-2016-4428

Topic

An update for python-django-horizon is now available for Red HatEnterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.Red Hat Product Security has rated this update as having a securityimpact of Important. A Common Vulnerability Scoring System (CVSS) basescore, which gives a detailed severity rating, is available for eachvulnerability from the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 - noarch


Bugs Fixed

1287881 - Heat UI objects are not displayed in the UI

1343982 - CVE-2016-4428 python-django-horizon: XSS in client side template


Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved