The following flaw was found in Django: In previous versions of Django, the session backends created a new empty record in the session storage anytime ``request.session`` was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted. The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users. As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue.
Created attachment 1049122 [details] session-1.4.x.diff
Created attachment 1049123 [details] session-1.7.x.diff
Created attachment 1049124 [details] session-1.8.x.diff
Created attachment 1049125 [details] session-master.diff
This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1242717]
Created python-django tracking bugs for this issue: Affects: openstack-rdo [bug 1242714] Affects: fedora-all [bug 1242715] Affects: epel-7 [bug 1242716]
python-django-1.8.3-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.6.11-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:1678 https://rhn.redhat.com/errata/RHSA-2015-1678.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 OpenStack 5 for RHEL 7 Via RHSA-2015:1686 https://rhn.redhat.com/errata/RHSA-2015-1686.html