Debian iTOps Tube

Monday, May 7, 2012

USN-1439-1: Horizon vulnerabilities

Ubuntu Security Notice USN-1439-1


7th May, 2012


horizon vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 12.04 LTS





Summary


Horizon could be made to expose sensitive information over the network.





Software description





  • horizon
    - Web interface for OpenStack cloud infrastructure







Details


Matthias Weckbecker discovered a cross-site scripting (XSS) vulnerability
in Horizon via the log viewer refrash mechanism. If a user were tricked
into viewing a specially crafted log message, a remote attacker could
exploit this to modify the contents or steal confidential data within the
same domain. (CVE-2012-2094)



Thomas Biege discovered a session fixation vulnerability in Horizon. An
attacker could exploit this to potentially allow access to unauthorized
information and capabilities. (CVE-2012-2144)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 12.04 LTS:




python-django-horizon

2012.1-0ubuntu8.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2012-2094,

CVE-2012-2144






No comments:

Post a Comment