-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-006 CVE: 2012-05-04 Date: Friday, May 4 Title: Horizon session fixation and reuse Impact: Critical Reporter: Thomas Biege, SUSE Products: Horizon Affects: All versions Description: Thomas Biege from SUSE reported a vulnerability in OpenStack Dashboard (Horizon). Under specific circumstances it is possible to reuse session cookies from another user, potentially allowing access to unauthorized information and capabilities. Fixes: Folsom: https://github.com/openstack/horizon/commit/041b1c44c7d6cf5429505067c32f8f35166a8bab 2012.1: https://github.com/openstack/horizon/commit/abc532fa90eac1cc970423339347e318aa8d1b1a References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-2144 https://bugs.launchpad.net/horizon/+bug/978896 Notes: This fix will be included in the folsom-1 development milestone and in a future 2012.1 (essex) release. - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+kdO0ACgkQFg9ft4s9SAYLsgCgptN3zZrEpOCPsbbSfPiPz7J5 BegAoK2D0D1YHP08xt3iSdGQ7OKXuyLT =CYxN -----END PGP SIGNATURE-----