Following issue was reported in Django: Previously, a session could be created when anonymously accessing the ``django.contrib.auth.views.logout`` view (provided it wasn't decorated with ``django.contrib.auth.decorators.login_required`` as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.
Created attachment 1061941 [details] session-store-1.4.x.diff
Created attachment 1061942 [details] session-store-1.7.x.diff
Created attachment 1061943 [details] session-store-1.8.x.diff
Created attachment 1061944 [details] session-store-master.diff
Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue.
Public via: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/
Created python-django tracking bugs for this issue: Affects: openstack-rdo [bug 1260506]
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2015:1766 https://rhn.redhat.com/errata/RHSA-2015-1766.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2015:1767 https://rhn.redhat.com/errata/RHSA-2015-1767.html
This issue has been addressed in the following products: OpenStack 7 For RHEL 7 Via RHSA-2015:1876 https://access.redhat.com/errata/RHSA-2015:1876
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:1894 https://rhn.redhat.com/errata/RHSA-2015-1894.html