Date: Thu, 30 Aug 2012 11:35:13 -0400 From: Russell Bryant <rbryant@...hat.com> To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org Subject: Re: [Openstack] [OSSA 2012-012] Horizon, Open redirect through 'next' parameter (CVE-2012-3540) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This advisory included the wrong CVE. It was CVE-2012-3540. Sorry about that. On 08/30/2012 11:10 AM, Russell Bryant wrote: > OpenStack Security Advisory: 2012-012 CVE: CVE-2012-3542 This should have been CVE-2012-3540 > Date: August 30, 2012 Title: Open redirect through 'next' > parameter Impact: Medium Reporter: Thomas Biege (SUSE) Products: > Horizon Affects: Essex (2012.1) > > Description: Thomas Biege from SUSE reported a vulnerability in > Horizon authentication mechanism. By adding a malicious 'next' > parameter to a Horizon authentication URL and enticing an > unsuspecting user to follow it, the victim might get redirected > after authentication to a malicious site where useful information > could be extracted. Only setups running Essex are affected. > > Fixes: 2012.1: > https://github.com/openstack/horizon/commit/35eada8a27323c0f83c400177797927aba6bc99b > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3542 This should have been: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3540 > https://bugs.launchpad.net/horizon/+bug/1039077 > > Notes: This fix will be included in a future Essex (2012.1) > release. - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlA/iDEACgkQFg9ft4s9SAbPBQCgndIk58K5ZF71PCxmWfDjV9MO 4yoAoJDGBeqC4TbJnyo+AsEeQYeTQEe6 =zO6p -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ