CVE-2015-5963

Advisory

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5963
• https://www.djangoproject.com/weblog/2015/aug/18/security-releases/
• http://www.ubuntu.com/usn/USN-2720-1
• http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
• http://www.securityfocus.com/bid/76428
• http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
• http://rhn.redhat.com/errata/RHSA-2015-1894.html
• http://rhn.redhat.com/errata/RHSA-2015-1767.html
• http://rhn.redhat.com/errata/RHSA-2015-1766.html
• http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
• http://lists.opensuse.org/opensuse-updates/2015-09/msg00026.html
• http://www.securitytracker.com/id/1033318
• http://www.debian.org/security/2015/dsa-3338
• https://access.redhat.com/errata/RHSA-2015:1876