SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Django Vendors:   djangoproject.com
(Ubuntu Issues Fix) Django logout() Function Session Management Flaw Lets Remote Users Consume Excessive Session Resources and Deny Service
SecurityTracker Alert ID:  1033320
SecurityTracker URL:  http://securitytracker.com/id/1033320
CVE Reference:   CVE-2015-5963, CVE-2015-5964   (Links to External Site)
Date:  Aug 19 2015
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4, 1.7, 1.8
Description:   Two vulnerabilities were reported in Django. A remote user can consume excessive sessions on the target system.

A remote user can access the 'django.contrib.auth.views.logout' view to create an excessive number of new session records, potentially filling up the session store or causing existing session records to be evicted.

The 'django.contrib.sessions.middleware.SessionMiddleware' component is affected [CVE-2015-5963].

On 1.4.x and 1.7.x based systems, the 'contrib.sessions.backends.base.SessionBase.flush()' and 'cache_db.SessionStore.flush()' methods are affected [CVE-2015-5964].

Lin Hua Cheng reported these vulnerabilities.

Impact:   A remote user can consume excessive session resources on the target system, preventing new sessions or denying service to existing sessions.
Solution:   Ubuntu has issued a fix.

The Ubuntu advisory is available at:

http://www.ubuntu.com/usn/usn-2720-1

Vendor URL:  www.ubuntu.com/usn/usn-2720-1 (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Ubuntu)
Underlying OS Comments:  12.04 LTS, 14.04 LTS, 15.04

Message History:   This archive entry is a follow-up to the message listed below.
Aug 19 2015 Django logout() Function Session Management Flaw Lets Remote Users Consume Excessive Session Resources and Deny Service



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC