Package: horizon / 2014.1.3-7+deb8u2

Metadata

Package Version Patches format
horizon 2014.1.3-7+deb8u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001_fix dashboard django wsgi.patch | (download)

openstack_dashboard/wsgi/django.wsgi | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 adds /usr/share/openstack-dashboard in the search path for the django.wsgi
0002_fix dashboard manage.patch | (download)

manage.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 adds /usr/share/openstack-dashboard in the search path for manage.py
0003_fixed horizon MANIFEST.in.patch | (download)

MANIFEST.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fixes manifest.in
0004_fix python m coverage.patch | (download)

run_tests.sh | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 use "python -m covergate" instead of just "coverage"
 In Debian, there's no "coverage" command, so we need to apply this.
0008_Handle_TypeError_from_table_column_summation_code.patch | (download)

horizon/tables/base.py | 14 8 + 6 - 0 !
horizon/test/tests/tables.py | 9 9 + 0 - 0 !
2 files changed, 17 insertions(+), 6 deletions(-)

 [patch] handle typeerror from table column summation code

This commit catches TypeError from horizon.tables.Column
summation calculation. This TypeError is caught inside Django
until Django 1.6, but Django 1.7 code is refined to catch
more specific case and it leads to horizon unit test failure.

Bug: #1355939

0009_Fix TypeError SecurityGroup object is not iterable t.patch | (download)

openstack_dashboard/dashboards/project/instances/tests.py | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 typeerror: 'securitygroup' object is not iterable test failure with django 1.7
 The two tests modified here were incorrectly defining instance.security_groups
 as a single value instead of a list.
 .
 Apparently Django 1.7 is no longer happy trying to iterate something that is
 not an iterable.
 .
 The other test_instance_details_*() were already doing the correct thing so
 just copy over the logic.
disable failed django 1.7 test.patch | (download)

openstack_dashboard/dashboards/admin/projects/tests.py | 36 0 + 36 - 0 !
1 file changed, 36 deletions(-)

 disable test_update_project_when_default_role_does_not_exist()
 This last test is the last remaining one that fails with Django 1.7. It
 doesn't seem like it is a relevant failure, and that running Django 1.7 only
 reveal the issue instead of creating it.
Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch | (download)

openstack_dashboard/wsgi/django.wsgi | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 update wsgi app creation to be compatible with django 1.7
 This resolves the following error when trying to run Horizon:
 .
 AppRegistryNotReady: The translation infrastructure cannot be initialized
 before the apps registry is ready. Check that you don't make non-lazy gettext
 calls at import time.
 .
 and is backwards-compatible with our currently supported versions (back to
 1.4).
CVE 2014 8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch | (download)

horizon/middleware.py | 19 11 + 8 - 0 !
openstack_dashboard/views.py | 2 0 + 2 - 0 !
2 files changed, 11 insertions(+), 10 deletions(-)

 horizon login page contains dos attack mechanism
 The horizon login page (really the middleware) accesses the session too early
 in the login process, which will create session records in the session
 backend. This is especially problematic when non-cookie backends are used.
fix moscow tz test.patch | (download)

openstack_dashboard/dashboards/settings/user/tests.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix moscow tz check
 Apparently, Moscow timezone changed from UTC+4 to UTC+3, so the test fails.
 This patch removes the +04 check, and stops testing before that, so that the
 check will work whatever Moscow timezone is.
CVE 2015 3219_XSS_in_Horizon_Heat_stack_creation.patch | (download)

openstack_dashboard/dashboards/project/stacks/forms.py | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 escape the description param from heat template
 The heat template allows user to define custom parameters,
 the fields are then converted to input fields. The description
 param maps to the help_text attribute of the field.
 .
 Since the value comes from the user, the value must be escaped
 before rendering.
CVE 2016 4428_Escape_angularjs_templating_in_unsafe_HTML.patc | (download)

horizon/utils/escape.py | 31 31 + 0 - 0 !
openstack_dashboard/settings.py | 4 4 + 0 - 0 !
openstack_dashboard/test/settings.py | 5 5 + 0 - 0 !
3 files changed, 40 insertions(+)

 cve-2016-4428: escape angularjs templating in unsafe html
 This code extends the unsafe (typically user-supplied) HTML escape
 built into Django to also escape angularjs templating markers. Safe
 HTML will be unaffected.
Bug-Ubuntu: https://launchpad.net/bugs/1567673
Bug-Debian: https://bugs.debian.org/828967