Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4420.2
python-django-horizon security update
17 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: python-django-horizon
Publisher: Red Hat
Operating System: Red Hat
Linux variants
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-29565
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:5411
https://access.redhat.com/errata/RHSA-2020:5572
Comment: This bulletin contains two (2) Red Hat security advisories.
This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running python-django-horizon check for an updated version of the
software for their operating system.
Revision History: December 17 2020: Associated advisory for Red Hat OpenStack Platform 13 (Queens)
December 16 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python-django-horizon security update
Advisory ID: RHSA-2020:5411-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5411
Issue date: 2020-12-15
CVE Names: CVE-2020-29565
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat OpenStack
Platform 16.1 (Train).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 16.1 - noarch
3. Description:
OpenStack Dashboard (horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
Security Fix(es):
* dashboard allows open redirect (CVE-2020-29565)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1811510 - CVE-2020-29565 python-django-horizon: dashboard allows open redirect
6. Package List:
Red Hat OpenStack Platform 16.1:
Source:
python-django-horizon-16.2.1-1.20201114033610.el8ost.src.rpm
noarch:
openstack-dashboard-16.2.1-1.20201114033610.el8ost.noarch.rpm
python3-django-horizon-16.2.1-1.20201114033610.el8ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-29565
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX9kDxtzjgjWX9erEAQhndQ/9HBCLu5/MwRyd4T4BF9nI6un+PYKn5WvQ
nir31VgFZcHOQ6ys+qeff+kPas/iHkbCXuwYvk1NSoTup41kz941hXnHCTui5eJz
TwChKr6txzT+MecwLpWdP86hdDEnJay++e/V7XJ97ktZPLa/yjFAOZjBbhP6Qp7R
MykjQPAiNjz5xwJAQk/fT7LiEbbzfofQRf9oYu9e2QkD73Qww8+8f+O2Q572D8D/
zyvy/CJImkouKFgXn/KZ3fu+82I/Xb4AIumiwirDFd51cYUBs40aGHc5lX9/XGzC
lP2UnwF38cLZ9YBlXqNMyTrkJ0bqxex1H4DgwIXevD9RGKOKLMY7heTwsD+PznmZ
fIo5xtSsEdiIwuwvd1qBBf10tCHY61NDd1usjOXpCp4dKwbPMvG0hmh4t85Gdhmr
DDmQYitVpJphIMLP8m0icfydKZ6MUPTjOFq2R2Uqc0GynvlNxL+6rEO64EJ650XA
4pJe1GfRHgGTg4ib7T09cL5QPE2DJtYr/u/MGyTWcwbz4JzwyCuPQwQgRlnAQgpo
+gtb9ygdSDfAVYQdXiqPv8V5SPvh+cJDI/19Jr8b/fGDy88eghroq34Gf4ZW1H47
aDFB6o+G1y3nPbiRe5XZ/+xW4rz2PAyTnqO0ozH0Na1jqTkJ2tfP0tyJLw21ieI4
izMmeTGXyWo=
=UhNu
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python-django-horizon security update
Advisory ID: RHSA-2020:5572-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5572
Issue date: 2020-12-16
CVE Names: CVE-2020-29565
=====================================================================
1. Summary:
An update for python-django-horizon is now available for Red Hat OpenStack
Platform 13 (Queens).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenStack Platform 13.0 - noarch
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server - noarch
3. Description:
OpenStack Dashboard (horizon) provides administrators and users with a
graphical interface to access, provision, and automate cloud-based
resources.
Security Fix(es):
* python-django-horizon: dashboard allows open redirect (CVE-2020-29565)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1811510 - CVE-2020-29565 python-django-horizon: dashboard allows open redirect
6. Package List:
Red Hat OpenStack Platform 13.0 for RHEL 7.6 EUS Server:
Source:
python-django-horizon-13.0.3-7.el7ost.src.rpm
noarch:
openstack-dashboard-13.0.3-7.el7ost.noarch.rpm
python-django-horizon-13.0.3-7.el7ost.noarch.rpm
Red Hat OpenStack Platform 13.0:
Source:
python-django-horizon-13.0.3-7.el7ost.src.rpm
noarch:
openstack-dashboard-13.0.3-7.el7ost.noarch.rpm
python-django-horizon-13.0.3-7.el7ost.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-29565
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX9oTatzjgjWX9erEAQglHBAApbt3xMbLcttUF0ThZH13gg24pDYqxE67
vDZ2j3WJPKUiYjyo87hO/aPSRKlk0UYEWrTpGNlMAcHJ9oxhRf7W2114TwIObOyr
9Grb5FaC0eV04kd6nNtzHJmMe9usOAeeVoyREsiGb7Xv91inU78u7EeM9NSQtEOD
uh4k1L3ugQw4ickuB8aCHsQ8qcX8s2X1MXUHRO6HploqVOUxacshBNggw/xG7GIt
d6Uq3Hv+W1Nrp2/Z2xmUd6ZtFKsnYQKoipKgN3+dsQtnDE2qSTGOCyO8VRRc0pSd
zIPKZwhNCOT8JAiTVl//xNwjnBLstkzCS13PxrZJCVX9N49gaebTG4Ung9vx9bGJ
X8mvCJmp4wfpMSNTKA+9FvmlyyPU+6NglPbFQdLBmhVAPRqygR9E8Gjc4bB4BLvL
X8KfijtLjh9p9nJcBHSut2ESby/AF3hHGTOysmYGusInq9bPh5BKuxO6e1zRSC0M
300eVUB9qwe/YuUotFZXen2GZQMs07mCAPIJcANyTaouHvS3s31/14d7WKFcSptv
FM2DX6fLqdLsYtNjXERN9LVxsTHIaSw3/adC+oft9zoZgWDAqZYW0Gvu+Zbka+Nj
06flefQOuAr751VzI/zQGGApjZs6HTWyHDAKWRr9rPAoUptXPu64JYkh2gTmK0P1
4FeFXyj1/PU=
=XPcj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX9qam+NLKJtyKPYoAQizNQ//WBqib45m1SBZrZ8iZU121yMTPz4OOJIF
JBSm6+geeo9ugzJZMqv5VXVaVSL9SO4N1NoYOFvwKAYd3qZi2PHkuL+WIfRQFlHv
zeWkCragT3v0xXulrYbyk2eUf0TBM3Eb7ZPAJ9V3NTA/JRZL3ORz06VZn+1zCuNk
fwuH6T0l3awtbHAZeMfauP9FJGQKT4NwG2OA+SyzHUoT5rqFm8uSqP2K6GIq09ki
VjE1hckP+blTtUVpKXXGyCzu7g68XC8MY8WgQ9XkM2IOn4FwQskvqboK+Y2Phqxa
qshnuSnbECzot5h7xWkLzGF6rDPw4EBKzVEvyjSgSzU9DIH4yuHuDdrrTfYArnAC
qbuUnwjpmaB6kJJOv12GvL6du4OtLkjc9Mzo7QWY76fVy9mES7YE6jdDsIIwzSZD
rLQ4SK9ZYJHZH4lfYszz9apVSgUc/oJwwg0SXe+pUwQj8BgP6hu5xVkSo0iCSJGv
2xWDknp1sqLS7fWDAJNw8XHdAgVzLQo9UorOD0GxCH4uRrSk3JDGuKrAPu4AxyMj
paKds4S09XY2df3OzInnHjA2O0QTNxbtfVfHO6//1JWp+2AsEZCveNAIXCppceBn
29PGIdVnK9dfuKBoCWqNDvFeu8V32bzfB8JSigGUktjTX3vKpB1OfSnxUXY23Bhl
/tFAP+ROb5s=
=b8Uf
-----END PGP SIGNATURE-----