Bug 941587 – VUL-0: CVE-2015-5963,CVE-2015-5964: python-django,python-Django: DoS by filling session store via logout()

Bug 941587 - (CVE-2015-5963) VUL-0: CVE-2015-5963,CVE-2015-5964: python-django,python-Django: DoS by filling session store via logout()

(CVE-2015-5963)
Summary:	VUL-0: CVE-2015-5963,CVE-2015-5964: python-django,python-Django: DoS by filli...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-08-13 09:41 UTC by Andreas Stieger
Modified:	2016-04-27 19:43 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 5 Swamp Workflow Management 2015-08-13 22:00:16 UTC

bugbot adjusting priority

Comment 6 Andreas Stieger 2015-08-18 18:37:14 UTC

public via https://www.djangoproject.com/weblog/2015/aug/18/security-releases/

--------------------------
the Django team is issuing multiple releases -- Django 1.4.22, 1.7.10, and 1.8.4. These releases are now available on PyPI and our download page. These releases address a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.
Denial-of-service possibility in logout() view by filling session store

Previously, a session could be created when anonymously accessing the django.contrib.auth.views.logout view (provided it wasn't decorated with django.contrib.auth.decorators.login_required as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.

The django.contrib.sessions.middleware.SessionMiddleware has been modified to no longer create empty session records.

This portion of the fix has been assigned CVE-2015-5963.

Additionally, on the 1.4 and 1.7 series only, the contrib.sessions.backends.base.SessionBase.flush() and cache_db.SessionStore.flush() methods have been modified to avoid creating a new empty session. Maintainers of third-party session backends should check if the same vulnerability is present in their backend and correct it if so.

This portion of the fix has been assigned CVE-2015-5964. Anyone reporting a similar vulnerability in a third-party session backend should not use this CVE ID.

Thanks Lin Hua Cheng for reporting the issue.

Affected supported versions

Django master development branch
Django 1.8
Django 1.7
Django 1.4

Reminder that security support for Django 1.4 ends October 1, 2015.

Per our supported versions policy, Django 1.5 and 1.6 are no longer receiving security updates.

--------------------------

On the development master branch
https://github.com/django/django/commit/8cc41ce7a7a8f6bebfdd89d5ab276cd0109f4fc5

On the 1.8 release branch
https://github.com/django/django/commit/2eb86b01d7b59be06076f6179a454d0fd0afaff6

On the 1.7 release branch
https://github.com/django/django/commit/2f5485346ee6f84b4e52068c04e043092daf55f7

On the 1.4 release branch
https://github.com/django/django/commit/575f59f9bc7c59a5e41a081d1f5f55fc859c5012

Comment 8 Bernhard Wiedemann 2015-09-09 12:00:55 UTC

This is an autogenerated message for OBS integration:
This bug (941587) was mentioned in
https://build.opensuse.org/request/show/330029 13.2 / python-Django
https://build.opensuse.org/request/show/330037 13.1 / python-django

Comment 10 Bernhard Wiedemann 2015-09-09 14:00:39 UTC

This is an autogenerated message for OBS integration:
This bug (941587) was mentioned in
https://build.opensuse.org/request/show/330056 13.1 / python-django

Comment 12 Swamp Workflow Management 2015-09-19 08:10:16 UTC

openSUSE-SU-2015:1580-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 941587
CVE References: CVE-2015-5963
Sources used:
openSUSE 13.2 (src):    python-Django-1.6.11-3.7.1

Comment 13 Swamp Workflow Management 2015-09-22 09:13:03 UTC

openSUSE-SU-2015:1598-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 913053,913054,913055,913056,914706,923176,941587
CVE References: CVE-2015-0219,CVE-2015-0220,CVE-2015-0221,CVE-2015-0222,CVE-2015-2317,CVE-2015-5963
Sources used:
openSUSE 13.1 (src):    python-django-1.5.12-0.2.11.1

Comment 15 Vincent Untz 2015-10-13 12:12:26 UTC

Was submitted in mr#73853/mr#73849.

Comment 16 Swamp Workflow Management 2015-10-23 09:10:11 UTC

SUSE-SU-2015:1810-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963
Sources used:
SUSE OpenStack Cloud 5 (src):    python-Django-1.6.11-10.2

Comment 17 Swamp Workflow Management 2015-10-23 16:10:20 UTC

SUSE-SU-2015:1815-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963
Sources used:
SUSE Enterprise Storage 1.0 (src):    python-Django-1.6.11-8.1

Comment 18 Marcus Meissner 2015-12-08 14:09:59 UTC

released

Comment 19 Swamp Workflow Management 2016-01-07 14:12:24 UTC

SUSE-SU-2016:0044-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 937522,937523,941587,955412
CVE References: CVE-2015-5143,CVE-2015-5144,CVE-2015-5963,CVE-2015-8213
Sources used:
SUSE Enterprise Storage 2 (src):    python-Django-1.6.11-3.1