--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/14-CVE-2014-8124.patch	Fri Dec 19 14:29:54 2014 -0800
@@ -0,0 +1,55 @@
+Upstream patch to fix CVE-2014-8124.  This will be fixed in future
+2014.1.3 and 2014.2.1 releases.
+
+From 61d09f6f96a22cd6c0ade58f6486cdbd118c5e2a Mon Sep 17 00:00:00 2001
+From: lin-hua-cheng <[email protected]>
+Date: Mon, 1 Dec 2014 18:16:15 -0800
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (really the middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend.  This is especially problematic when non-cookie
+backends are used.
+
+Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
+Closes-Bug: 1394370
+
+--- horizon-2013.2.3/horizon/middleware.py.orig	2014-12-10 12:59:24.714541383 -0700
++++ horizon-2013.2.3/horizon/middleware.py	2014-12-10 13:00:30.362642269 -0700
+@@ -49,6 +49,17 @@ class HorizonMiddleware(object):
+ 
+     def process_request(self, request):
+         """ Adds data necessary for Horizon to function to the request. """
++
++        request.horizon = {'dashboard': None,
++                           'panel': None,
++                           'async_messages': []}
++        if not hasattr(request, "user") or not request.user.is_authenticated():
++            # proceed no further if the current request is already known
++            # not to be authenticated
++            # it is CRITICAL to perform this check as early as possible
++            # to avoid creating too many sessions
++            return None
++
+         # Activate timezone handling
+         tz = request.session.get('django_timezone')
+         if tz:
+@@ -62,9 +73,6 @@ class HorizonMiddleware(object):
+ 
+         last_activity = request.session.get('last_activity', None)
+         timestamp = int(time.time())
+-        request.horizon = {'dashboard': None,
+-                           'panel': None,
+-                           'async_messages': []}
+         if (isinstance(last_activity, int)
+                 and (timestamp - last_activity) > timeout):
+             request.session.pop('last_activity')
+--- horizon-2013.2.3/openstack_dashboard/views.py.orig	2014-12-10 13:01:22.648498614 -0700
++++ horizon-2013.2.3/openstack_dashboard/views.py	2014-12-10 13:01:29.987667852 -0700
+@@ -33,6 +33,4 @@ def splash(request):
+     if request.user.is_authenticated():
+         return shortcuts.redirect(get_user_home(request.user))
+     form = views.Login(request)
+-    request.session.clear()
+-    request.session.set_test_cookie()
+     return shortcuts.render(request, 'splash.html', {'form': form})