Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4420.2 python-django-horizon security update 17 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-django-horizon Publisher: Red Hat Operating System: Red Hat Linux variants Impact/Access: Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-29565 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:5411 https://access.redhat.com/errata/RHSA-2020:5572 Comment: This bulletin contains two (2) Red Hat security advisories. This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running python-django-horizon check for an updated version of the software for their operating system. Revision History: December 17 2020: Associated advisory for Red Hat OpenStack Platform 13 (Queens) December 16 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-django-horizon security update Advisory ID: RHSA-2020:5411-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:5411 Issue date: 2020-12-15 CVE Names: CVE-2020-29565 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 16.1 - noarch 3. Description: OpenStack Dashboard (horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. Security Fix(es): * dashboard allows open redirect (CVE-2020-29565) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1811510 - CVE-2020-29565 python-django-horizon: dashboard allows open redirect 6. Package List: Red Hat OpenStack Platform 16.1: Source: python-django-horizon-16.2.1-1.20201114033610.el8ost.src.rpm noarch: openstack-dashboard-16.2.1-1.20201114033610.el8ost.noarch.rpm python3-django-horizon-16.2.1-1.20201114033610.el8ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-29565 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9kDxtzjgjWX9erEAQhndQ/9HBCLu5/MwRyd4T4BF9nI6un+PYKn5WvQ nir31VgFZcHOQ6ys+qeff+kPas/iHkbCXuwYvk1NSoTup41kz941hXnHCTui5eJz TwChKr6txzT+MecwLpWdP86hdDEnJay++e/V7XJ97ktZPLa/yjFAOZjBbhP6Qp7R MykjQPAiNjz5xwJAQk/fT7LiEbbzfofQRf9oYu9e2QkD73Qww8+8f+O2Q572D8D/ zyvy/CJImkouKFgXn/KZ3fu+82I/Xb4AIumiwirDFd51cYUBs40aGHc5lX9/XGzC lP2UnwF38cLZ9YBlXqNMyTrkJ0bqxex1H4DgwIXevD9RGKOKLMY7heTwsD+PznmZ fIo5xtSsEdiIwuwvd1qBBf10tCHY61NDd1usjOXpCp4dKwbPMvG0hmh4t85Gdhmr DDmQYitVpJphIMLP8m0icfydKZ6MUPTjOFq2R2Uqc0GynvlNxL+6rEO64EJ650XA 4pJe1GfRHgGTg4ib7T09cL5QPE2DJtYr/u/MGyTWcwbz4JzwyCuPQwQgRlnAQgpo +gtb9ygdSDfAVYQdXiqPv8V5SPvh+cJDI/19Jr8b/fGDy88eghroq34Gf4ZW1H47 aDFB6o+G1y3nPbiRe5XZ/+xW4rz2PAyTnqO0ozH0Na1jqTkJ2tfP0tyJLw21ieI4 izMmeTGXyWo= =UhNu - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python-django-horizon security update Advisory ID: RHSA-2020:5572-01 Product: Red Hat OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:5572 Issue date: 2020-12-16 CVE Names: CVE-2020-29565 ===================================================================== 1. Summary: An update for python-django-horizon is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 13.0 - noarch Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch 3. Description: OpenStack Dashboard (horizon) provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. Security Fix(es): * python-django-horizon: dashboard allows open redirect (CVE-2020-29565) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1811510 - CVE-2020-29565 python-django-horizon: dashboard allows open redirect 6. Package List: Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server: Source: python-django-horizon-13.0.3-7.el7ost.src.rpm noarch: openstack-dashboard-13.0.3-7.el7ost.noarch.rpm python-django-horizon-13.0.3-7.el7ost.noarch.rpm Red Hat OpenStack Platform 13.0: Source: python-django-horizon-13.0.3-7.el7ost.src.rpm noarch: openstack-dashboard-13.0.3-7.el7ost.noarch.rpm python-django-horizon-13.0.3-7.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-29565 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9oTatzjgjWX9erEAQglHBAApbt3xMbLcttUF0ThZH13gg24pDYqxE67 vDZ2j3WJPKUiYjyo87hO/aPSRKlk0UYEWrTpGNlMAcHJ9oxhRf7W2114TwIObOyr 9Grb5FaC0eV04kd6nNtzHJmMe9usOAeeVoyREsiGb7Xv91inU78u7EeM9NSQtEOD uh4k1L3ugQw4ickuB8aCHsQ8qcX8s2X1MXUHRO6HploqVOUxacshBNggw/xG7GIt d6Uq3Hv+W1Nrp2/Z2xmUd6ZtFKsnYQKoipKgN3+dsQtnDE2qSTGOCyO8VRRc0pSd zIPKZwhNCOT8JAiTVl//xNwjnBLstkzCS13PxrZJCVX9N49gaebTG4Ung9vx9bGJ X8mvCJmp4wfpMSNTKA+9FvmlyyPU+6NglPbFQdLBmhVAPRqygR9E8Gjc4bB4BLvL X8KfijtLjh9p9nJcBHSut2ESby/AF3hHGTOysmYGusInq9bPh5BKuxO6e1zRSC0M 300eVUB9qwe/YuUotFZXen2GZQMs07mCAPIJcANyTaouHvS3s31/14d7WKFcSptv FM2DX6fLqdLsYtNjXERN9LVxsTHIaSw3/adC+oft9zoZgWDAqZYW0Gvu+Zbka+Nj 06flefQOuAr751VzI/zQGGApjZs6HTWyHDAKWRr9rPAoUptXPu64JYkh2gTmK0P1 4FeFXyj1/PU= =XPcj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX9qam+NLKJtyKPYoAQizNQ//WBqib45m1SBZrZ8iZU121yMTPz4OOJIF JBSm6+geeo9ugzJZMqv5VXVaVSL9SO4N1NoYOFvwKAYd3qZi2PHkuL+WIfRQFlHv zeWkCragT3v0xXulrYbyk2eUf0TBM3Eb7ZPAJ9V3NTA/JRZL3ORz06VZn+1zCuNk fwuH6T0l3awtbHAZeMfauP9FJGQKT4NwG2OA+SyzHUoT5rqFm8uSqP2K6GIq09ki VjE1hckP+blTtUVpKXXGyCzu7g68XC8MY8WgQ9XkM2IOn4FwQskvqboK+Y2Phqxa qshnuSnbECzot5h7xWkLzGF6rDPw4EBKzVEvyjSgSzU9DIH4yuHuDdrrTfYArnAC qbuUnwjpmaB6kJJOv12GvL6du4OtLkjc9Mzo7QWY76fVy9mES7YE6jdDsIIwzSZD rLQ4SK9ZYJHZH4lfYszz9apVSgUc/oJwwg0SXe+pUwQj8BgP6hu5xVkSo0iCSJGv 2xWDknp1sqLS7fWDAJNw8XHdAgVzLQo9UorOD0GxCH4uRrSk3JDGuKrAPu4AxyMj paKds4S09XY2df3OzInnHjA2O0QTNxbtfVfHO6//1JWp+2AsEZCveNAIXCppceBn 29PGIdVnK9dfuKBoCWqNDvFeu8V32bzfB8JSigGUktjTX3vKpB1OfSnxUXY23Bhl /tFAP+ROb5s= =b8Uf -----END PGP SIGNATURE-----