[openstack-dev] [Horizon][Security] BREACH/CRIME Attack Information

Thierry Carrez thierry at openstack.org
Wed Aug 7 08:30:44 UTC 2013


Gabriel Hurley wrote:
> Many of you have probably heard about the "BREACH" attack/security vulnerability in HTTPS traffic that was disclosed recently, and I'd like to take a moment to provide some info about how that affects Horizon. I'm not following the official vulnerability management process because 1. The vulnerability is already disclosed publicly, 2. Workaround information has already been published by Django and many others, and 3. There's no one-off code fix on our end so awareness is the best possible thing.

Agree that there is nothing to patch in our code at this point and
therefore no base for an OpenStack Security Advisory (OSSA). The
information you provided would still make a great OpenStack Security
Note (OSSN), though. Those are issued by the OpenStack Security Group, I
CC-ed Rob Clark so that he puts it on his radar.

Thanks!

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list