Bugzilla – Bug 937522
VUL-1: CVE-2015-5143: python-django: Denial-of-service possibility by filling session store
Last modified: 2016-04-27 20:21:57 UTC
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ Denial-of-service possibility by filling session store In previous versions of Django, the session backends created a new empty record in the session storage anytime request.session was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted. The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users. As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so. Thanks Eric Peterson and Lin Hua Cheng for reporting the issue. This issue has been assigned the identifier CVE-2015-5143. Fixed in 1.4.21, 1.7.9, and 1.8.3 https://github.com/django/django/commit/df049ed77a4db67e45db5679bfc76a85d2a26680 References: https://bugzilla.redhat.com/show_bug.cgi?id=1239010 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5143 http://www.debian.org/security/2015/dsa-3305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5143
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (937522) was mentioned in https://build.opensuse.org/request/show/338144 13.2 / python-Django
Was submitted in mr#73853/mr#73849.
This is an autogenerated message for OBS integration: This bug (937522) was mentioned in https://build.opensuse.org/request/show/338439 13.1 / python-django
openSUSE-SU-2015:1802-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523 CVE References: CVE-2015-5143,CVE-2015-5144 Sources used: openSUSE 13.1 (src): python-django-1.5.12-0.2.14.1
SUSE-SU-2015:1810-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963 Sources used: SUSE OpenStack Cloud 5 (src): python-Django-1.6.11-10.2
openSUSE-SU-2015:1813-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523 CVE References: CVE-2015-5143,CVE-2015-5144 Sources used: openSUSE 13.2 (src): python-Django-1.6.11-3.10.1
SUSE-SU-2015:1815-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963 Sources used: SUSE Enterprise Storage 1.0 (src): python-Django-1.6.11-8.1
Releasing for SES 2 which is the last affected product. Closing.
SUSE-SU-2016:0044-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 937522,937523,941587,955412 CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963,CVE-2015-8213 Sources used: SUSE Enterprise Storage 2 (src): python-Django-1.6.11-3.1