Bug 932265 - (CVE-2015-3982) VUL-0: CVE-2015-3982: python-django: incorrect session flushing in the cached_db backend
(CVE-2015-3982)
VUL-0: CVE-2015-3982: python-django: incorrect session flushing in the cached...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/117010/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-26 08:03 UTC by Alexander Bergmann
Modified: 2015-05-26 08:29 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-05-26 08:03:53 UTC
rh#1221526
------------------------------------------------
The following flaw was found in Django 1.8:

A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.
------------------------------------------------

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1221526
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3982
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3982.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3982
Comment 1 Dirk Mueller 2015-05-26 08:29:40 UTC
We don't ship Django 1.8.0/1.