Created attachment 578085 [details] proposed fix This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: XSS vulnerability in Horizon log viewer Impact: High Reporter: J. Daniel Schmidt <jdsn> Products: Horizon Affects: All versions Description: J. Daniel Schmidt reported a vulnerability in Horizon. He noted that the log viewer refreshing mechanism does not escape the data fetched from guest consoles. This means that HTML with Javascript code gets interpreted as such, resulting in the ability to inject code into a dashboard session. Proposed public disclosure date/time: Tuesday, April 17th, 1500UTC Please do not make the issue public (or release public patches) before this coordinated embargo date.
Yes F17 only. This can now be made public
Also fixed in F17: https://bugzilla.redhat.com/show_bug.cgi?id=813453