[arch-security] [ASA-201508-9] python-django, python2-django: denial of service
Remi Gacogne
rgacogne at archlinux.org
Tue Aug 25 16:22:04 UTC 2015
Arch Linux Security Advisory ASA-201508-9
=========================================
Severity: Medium
Date : 2015-08-25
CVE-ID : CVE-2015-5963
Package : python-django
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The packages python-django and python2-django before version 1.8.4-1 are
vulnerable to remote denial of service.
Resolution
==========
Upgrade to 1.8.4-1.
# pacman -Syu "python-django>=1.8.4-1"
# pacman -Syu "python2-django>=1.8.4-1"
The problem has been fixed upstream in version 1.8.4, 1.7.10 and 1.4.22.
Workaround
==========
None.
Description
===========
Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout view (provided it wasn't decorated with
django.contrib.auth.decorators.login_required as done in the admin).
This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store
or causing other users' session records to be evicted.
The django.contrib.sessions.middleware.SessionMiddleware has been
modified to no longer create empty session records.
Impact
======
A remote attacker might be able to fill the session store, causing a
denial of service.
References
==========
https://www.djangoproject.com/weblog/2015/aug/18/security-releases/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5963
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150825/bbb6d9c5/attachment.asc>
More information about the arch-security
mailing list