From 7bc6576a5a59e37dd4accdf229b072f83f0c0669 Mon Sep 17 00:00:00 2001
From: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date: Thu, 15 Jan 2015 20:46:35 +0000
Subject: [PATCH] Adds OSSA-2014-040

Change-Id: I152685dcbac12b3fd39610a7ea7364df1293cfdb
---
 ossa/OSSA-2014-040.yaml | 55 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 ossa/OSSA-2014-040.yaml

diff --git a/ossa/OSSA-2014-040.yaml b/ossa/OSSA-2014-040.yaml
new file mode 100644
index 0000000..0a746b3
--- /dev/null
+++ b/ossa/OSSA-2014-040.yaml
@@ -0,0 +1,55 @@
+date: 2014-12-09
+
+id: OSSA-2014-040
+
+title: 'Horizon denial of service attack through login page'
+
+description: 'Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By
+    making repeated requests to the Horizon login page a remote attacker may
+    generate unwanted session records, potentially resulting in a denial of
+    service. Only Horizon setups using a db or memcached session engine are
+    affected.'
+
+affected-products:
+
+  - product: horizon
+    version: up to 2014.1.3 and 2014.2 version up to 2014.2.1
+
+vulnerabilities:
+
+  - cve-id: CVE-2014-8124
+
+reporters:
+
+  - name: 'Eric Peterson'
+    affiliation: Time Warner Cable
+    reported:
+      - CVE-2014-8124
+
+issues:
+
+  links:
+    - https://launchpad.net/bugs/1394370
+
+  type: launchpad
+
+reviews:
+
+  kilo:
+    - https://review.openstack.org/140353
+
+  juno:
+    - https://review.openstack.org/140358
+
+  icehouse:
+    - https://review.openstack.org/140356
+
+  django_openstack_auth:
+    - https://review.openstack.org/140352
+
+  type: gerrit
+
+notes:
+  - 'This fix will be included in future 2014.1.3 and 2014.2.1 releases.'
+  - 'The django_openstack_auth Horizon dependency requires the additional
+     patch above.'