Arch Linux Security Advisory ASA-201508-9 ========================================= Severity: Medium Date : 2015-08-25 CVE-ID : CVE-2015-5963 Package : python-django Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The packages python-django and python2-django before version 1.8.4-1 are vulnerable to remote denial of service. Resolution ========== Upgrade to 1.8.4-1. # pacman -Syu "python-django>=1.8.4-1" # pacman -Syu "python2-django>=1.8.4-1" The problem has been fixed upstream in version 1.8.4, 1.7.10 and 1.4.22. Workaround ========== None. Description =========== Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout view (provided it wasn't decorated with django.contrib.auth.decorators.login_required as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted. The django.contrib.sessions.middleware.SessionMiddleware has been modified to no longer create empty session records. Impact ====== A remote attacker might be able to fill the session store, causing a denial of service. References ========== https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5963