SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Django Vendors:   djangoproject.com
Django logout() Function Session Management Flaw Lets Remote Users Consume Excessive Session Resources and Deny Service
SecurityTracker Alert ID:  1033318
SecurityTracker URL:  http://securitytracker.com/id/1033318
CVE Reference:   CVE-2015-5963, CVE-2015-5964   (Links to External Site)
Date:  Aug 19 2015
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4, 1.7, 1.8
Description:   Two vulnerabilities were reported in Django. A remote user can consume excessive sessions on the target system.

A remote user can access the 'django.contrib.auth.views.logout' view to create an excessive number of new session records, potentially filling up the session store or causing existing session records to be evicted.

The 'django.contrib.sessions.middleware.SessionMiddleware' component is affected [CVE-2015-5963].

On 1.4.x and 1.7.x based systems, the 'contrib.sessions.backends.base.SessionBase.flush()' and 'cache_db.SessionStore.flush()' methods are affected [CVE-2015-5964].

Lin Hua Cheng reported these vulnerabilities.

Impact:   A remote user can consume excessive session resources on the target system, preventing new sessions or denying service to existing sessions.
Solution:   The vendor has issued a fix (1.4.22, 1.7.10, 1.8.4).

The vendor's advisory is available at:

https://www.djangoproject.com/weblog/2015/aug/18/security-releases/

Vendor URL:  www.djangoproject.com/weblog/2015/aug/18/security-releases/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 19 2015 (Ubuntu Issues Fix) Django logout() Function Session Management Flaw Lets Remote Users Consume Excessive Session Resources and Deny Service
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 14.04 LTS, and 15.04.
Sep 11 2015 (Red Hat Issues Fix) Django logout() Function Session Management Flaw Lets Remote Users Consume Excessive Session Resources and Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Oct 8 2015 (Red Hat Issues Fix) Django logout() Function Session Management Flaw Lets Remote Users Consume Excessive Session Resources and Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 7.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC