Just to follow up, Sven Anders (the reporter) reached out to the OpenStack vulnerability coordinators today via E-mail to inquire on the status of this report.
Horizon core security reviewers: please take a look at the details above and, at a minimum, leave a comment letting us know the following...
1. Can you confirm the reported bug is a defect in maintained stable branches of Horizon, not merely a misunderstanding nor misconfiguration?
2. If #1 is yes, can you give your opinion on whether the severity of the defect is sufficient to warrant developing and testing a fix it in private before making the details public?
3. If #1 and #2 are yes, can you indicate whether potential fixes are likely to be backportable to supported stable branches (not violating stable backport policies, e.g. due to requiring additional configuration or changing config defaults)?
Just to follow up, Sven Anders (the reporter) reached out to the OpenStack vulnerability coordinators today via E-mail to inquire on the status of this report.
Horizon core security reviewers: please take a look at the details above and, at a minimum, leave a comment letting us know the following...
1. Can you confirm the reported bug is a defect in maintained stable branches of Horizon, not merely a misunderstanding nor misconfiguration?
2. If #1 is yes, can you give your opinion on whether the severity of the defect is sufficient to warrant developing and testing a fix it in private before making the details public?
3. If #1 and #2 are yes, can you indicate whether potential fixes are likely to be backportable to supported stable branches (not violating stable backport policies, e.g. due to requiring additional configuration or changing config defaults)?
Thanks in advance for your prompt attention!