CVE-2020-29565

    OpenStack是美國國家航空航天局（National Aeronautics and Space Administration）和美國Rackspace公司合作研發的一個云平臺管理項目。

    OpenStack Horizon 15.3.2,16之前版本存在安全漏洞，該漏洞源于next參數缺乏驗證，這將允許某人在Horizon中提供惡意URL，從而導致自動重定向到所提供的惡意URL。以下產品及版本受到影響： 15.3.2之前版本, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x版本。

2.影響的操作系統

    銀河麒麟桌面操作系統V4 SP1

    銀河麒麟桌面操作系統V4 SP2

    銀河麒麟桌面操作系統V4 SP3

    銀河麒麟桌面操作系統V4 SP4

    銀河麒麟服務器操作系統V4 SP1

    銀河麒麟服務器操作系統V4 SP2

    銀河麒麟服務器操作系統V4 SP3

    銀河麒麟服務器操作系統V4 SP4

    銀河麒麟桌面操作系統V10

    銀河麒麟桌面操作系統V10 SP1

3.修復版本

    軟件包：horizon

    2:9.1.2-0kord5.2（V4、V10）

    3:18.3.2-0kylin0.20.04.4(V10 SP1)

4.受影響的軟件包

    ·銀河麒麟操作系統V10桌面版、V4

    openstack-dashboard

    openstack-dashboard-ubuntu-theme

    python-django-horizon

    ·銀河麒麟桌面操作系統V10 SP1

    openstack-dashboard

    openstack-dashboard-common

    openstack-dashboard-ubuntu-theme

    python3-django-horizon

    python3-django-openstack-auth

5.修復方法

方法一：配置源進行升級安裝

    打開軟件包源配置文件，根據倉庫地址進行修改。

    4.0.2桌面版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2-desktop main restricted universe multiverse

    4.0.2-sp1桌面版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp1-desktop main restricted universe multiverse

    4.0.2-sp2桌面版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp2-desktop main restricted universe multiverse

    4.0.2-sp3桌面版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp3-desktop main restricted universe multiverse

    4.0.2-sp4桌面版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 4.0.2sp4-desktop main restricted universe multiverse

    10.0版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 10.0 main restricted universe multiverse

    10SP1版本:

    http://archive.kylinos.cn/kylin/KYLIN-ALL 10.1 main restricted universe multiverse

    配置完成后執行更新命令進行升級

    $sudo apt update

方法二：下載安裝包進行升級安裝

    通過軟件包地址下載軟件包，使用軟件包升級命令根據受影響的組件包列表 升級相關的組件包。

    $dpkg -i Packagelists

6.軟件包下載地址

銀河麒麟操作系統V10桌面版、V4

X86_64軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-ubuntu-theme_9.1.2-0kord5.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard_9.1.2-0kord5.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python-django-horizon_9.1.2-0kord5.2_all.deb

arm64軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-ubuntu-theme_9.1.2-0kord5.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard_9.1.2-0kord5.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python-django-horizon_9.1.2-0kord5.2_all.deb

mips64el軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-ubuntu-theme_9.1.2-0kord5.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard_9.1.2-0kord5.2_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python-django-horizon_9.1.2-0kord5.2_all.deb

銀河麒麟操作系統桌面版V10 SP1

X86_64軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-common_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-ubuntu-theme_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python3-django-horizon_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python3-django-openstack-auth_18.3.2-0kylin0.20.04.4_all.deb

arm64軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-common_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-ubuntu-theme_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python3-django-horizon_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python3-django-openstack-auth_18.3.2-0kylin0.20.04.4_all.deb

mips64el軟件包下載地址

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-common_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard-ubuntu-theme_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/openstack-dashboard_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python3-django-horizon_18.3.2-0kylin0.20.04.4_all.deb

http://archive.kylinos.cn/kylin/KYLIN-ALL/pool/main/h/horizon/python3-django-openstack-auth_18.3.2-0kylin0.20.04.4_all.deb