Following issue was reported in Django: In CVE-2015-5963, the ``django.contrib.sessions.middleware.SessionMiddleware`` has been modified to no longer create empty session records. Additionally, on the 1.4 and 1.7 series only, the ``contrib.sessions.backends.base.SessionBase.flush()`` and ``cache_db.SessionStore.flush()`` methods have been modified to avoid creating a new empty session. This modification of 1.4 and 1.7 series got CVE-2015-5964. Previously, a session could be created when anonymously accessing the ``django.contrib.auth.views.logout`` view (provided it wasn't decorated with ``django.contrib.auth.decorators.login_required`` as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.
Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Lin Hua Cheng as the original reporter.
Public via: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1254921]
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2015:1766 https://rhn.redhat.com/errata/RHSA-2015-1766.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2015:1767 https://rhn.redhat.com/errata/RHSA-2015-1767.html
This issue has been addressed in the following products: OpenStack 6 for RHEL 7 Via RHSA-2015:1894 https://rhn.redhat.com/errata/RHSA-2015-1894.html