Bug 1252891 (CVE-2015-5964)

Summary: CVE-2015-5964 python-django: Denial-of-service possibility in logout() view by filling session store
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, jrusnack, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, slong, tdecacqu, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that certain Django functions would, in certain circumstances, create empty sessions. A remote attacker could use this flaw to fill up the session store or cause other users' session records to be evicted by requesting a large number of new sessions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-15 23:01:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1254912, 1254913, 1254914, 1254921, 1257809, 1257810    
Bug Blocks: 1252892    

Description Vasyl Kaigorodov 2015-08-12 13:06:00 UTC 
Following issue was reported in Django:

In CVE-2015-5963, the ``django.contrib.sessions.middleware.SessionMiddleware`` has been modified to no longer create empty session records.
Additionally, on the 1.4 and 1.7 series only, the ``contrib.sessions.backends.base.SessionBase.flush()`` and ``cache_db.SessionStore.flush()`` methods have been modified to avoid creating a new empty session. 
This modification of 1.4 and 1.7 series got CVE-2015-5964.

Previously, a session could be created when anonymously accessing the ``django.contrib.auth.views.logout`` view (provided it wasn't decorated with ``django.contrib.auth.decorators.login_required`` as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.
Comment 1 Vasyl Kaigorodov 2015-08-12 13:11:29 UTC 
Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Lin Hua Cheng as the original reporter.
Comment 2 Adam Mariš 2015-08-19 08:46:49 UTC 
Public via:
https://www.djangoproject.com/weblog/2015/aug/18/security-releases/
Comment 3 Adam Mariš 2015-08-19 08:54:07 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1254921]
Comment 7 errata-xmlrpc 2015-09-10 11:44:29 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:1766 https://rhn.redhat.com/errata/RHSA-2015-1766.html
Comment 8 errata-xmlrpc 2015-09-10 12:06:06 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:1767 https://rhn.redhat.com/errata/RHSA-2015-1767.html
Comment 9 errata-xmlrpc 2015-10-15 12:35:01 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1894 https://rhn.redhat.com/errata/RHSA-2015-1894.html