The Django project reports the following issue: "" Django provides a middleware -- ``django.contrib.auth.middleware.RemoteUserMiddleware`` -- and an authentication backend, ``django.contrib.auth.backends.RemoteUserBackend``, which use the ``REMOTE_USER`` header for authentication purposes. In some circumstances, use of this middleware and backend could result in one user receiving another user's session, if a change to the ``REMOTE_USER`` header occurred without corresponding logout/login actions. To remedy this, the middleware will now ensure that a change to ``REMOTE_USER`` without an explicit logout will force a logout and subsequent login prior to accepting the new ``REMOTE_USER``. "" This issue is due to be resolved in the upstream 1.4.14, 1.5.9, 1.6.6, and 1.7 release candidate 3 releases. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges David Greisen as the original reporter.
Created attachment 926641 [details] 1.4 patch
Created attachment 926642 [details] 1.5 patch
Created attachment 926643 [details] 1.6 patch
External References: https://www.djangoproject.com/weblog/2014/aug/20/security/
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1132776]
Created python-django15 tracking bugs for this issue: Affects: fedora-20 [bug 1132775] Affects: epel-6 [bug 1132777] Affects: epel-7 [bug 1132778]
Created python-django14 tracking bugs for this issue: Affects: fedora-all [bug 1132774]
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1132773]
python-django-1.5.9-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.6.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.14-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django15-1.5.9-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Django14-1.4.14-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.16-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.