@nkinder - So we could write a security note describing the issue and recommending Django upgrades for Kilo deployments. We don't currently have any advice for Juno deployments. @all - Is this an accurate description of our current state? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): Won't Fix Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: New Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions