diff -r 206d6ffc614a -r 3216fb44a4e7 components/python/django_openstack_auth/patches/CVE-2014-8124.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/django_openstack_auth/patches/CVE-2014-8124.patch	Mon Dec 15 07:43:58 2014 -0800
@@ -0,0 +1,29 @@
+django_openstack_auth patch for CVE-2014-8124.  This will be fixed in
+a future version of django_openstack_auth
+
+From e676c88a329af57d6c4f13df54f6e1e06c1f8360 Mon Sep 17 00:00:00 2001
+From: eric <eric.peterson1@twcable.com>
+Date: Mon, 8 Dec 2014 16:38:26 -0700
+Subject: [PATCH] Horizon login page contains DOS attack mechanism
+
+the horizon login page (and middleware) accesses the session
+too early in the login process, which will create session records
+in the session backend.  This is especially problematic when non-cookie
+backends are used.
+
+Co-Authored-By: Tihomir Trifonov <t.trifonov@gmail.com>
+Co-Authored-By: Eric Peterson <eric.peterson1@twcable.com>
+
+Change-Id: I9a4999eb5f053515575ef09b8ba9d3bb3f114e5c
+Closes-Bug: 1394370
+
+--- django_openstack_auth-1.1.3/openstack_auth/forms.py.orig
++++ django_openstack_auth-1.1.3/openstack_auth/forms.py
+@@ -96,7 +96,6 @@ class Login(AuthenticationForm):
+             msg = 'Login failed for user "%(username)s".' % \
+                 {'username': username}
+             LOG.warning(msg)
+-            self.request.session.flush()
+             raise forms.ValidationError(exc)
+         if hasattr(self, 'check_for_test_cookie'):  # Dropped in django 1.7
+             self.check_for_test_cookie()