Bug 1252890 (CVE-2015-5963) - CVE-2015-5963 python-django: Denial-of-service possibility in logout() view by filling session store
Summary: CVE-2015-5963 python-django: Denial-of-service possibility in logout() view b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5963
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1254911 1254912 1254913 1254914 1254915 1260506 1260508
Blocks: 1252892
TreeView+ depends on / blocked
 
Reported: 2015-08-12 13:02 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:02 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that Django incorrectly handled the session store. A session could be created by anonymously accessing the django.contrib.auth.views.logout view if it was not decorated correctly with django.contrib.auth.decorators.login_required. A remote attacker could use this flaw to fill up the session store or cause other users' session records to be evicted by requesting a large number of new sessions.
Clone Of:
Environment:
Last Closed: 2015-10-15 23:01:52 UTC


Attachments (Terms of Use)
session-store-1.4.x.diff (11.77 KB, text/plain)
2015-08-12 13:09 UTC, Vasyl Kaigorodov
no flags Details
session-store-1.7.x.diff (13.38 KB, text/plain)
2015-08-12 13:10 UTC, Vasyl Kaigorodov
no flags Details
session-store-1.8.x.diff (5.72 KB, text/plain)
2015-08-12 13:10 UTC, Vasyl Kaigorodov
no flags Details
session-store-master.diff (5.71 KB, text/plain)
2015-08-12 13:10 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1766 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-09-10 15:44:14 UTC
Red Hat Product Errata RHSA-2015:1767 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-09-10 16:05:54 UTC
Red Hat Product Errata RHSA-2015:1876 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-10-08 16:11:02 UTC
Red Hat Product Errata RHSA-2015:1894 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-10-15 16:29:51 UTC

Description Vasyl Kaigorodov 2015-08-12 13:02:37 UTC
Following issue was reported in Django:

Previously, a session could be created when anonymously accessing the
``django.contrib.auth.views.logout`` view (provided it wasn't decorated
with ``django.contrib.auth.decorators.login_required`` as done in the
admin). This could allow an attacker to easily create many new session
records by sending repeated requests, potentially filling up the session
store or causing other users' session records to be evicted.

Comment 1 Vasyl Kaigorodov 2015-08-12 13:09:56 UTC
Created attachment 1061941 [details]
session-store-1.4.x.diff

Comment 2 Vasyl Kaigorodov 2015-08-12 13:10:00 UTC
Created attachment 1061942 [details]
session-store-1.7.x.diff

Comment 3 Vasyl Kaigorodov 2015-08-12 13:10:03 UTC
Created attachment 1061943 [details]
session-store-1.8.x.diff

Comment 4 Vasyl Kaigorodov 2015-08-12 13:10:06 UTC
Created attachment 1061944 [details]
session-store-master.diff

Comment 5 Vasyl Kaigorodov 2015-08-12 13:11:23 UTC
Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.

Comment 6 Adam Mariš 2015-08-19 08:45:37 UTC
Public via:
https://www.djangoproject.com/weblog/2015/aug/18/security-releases/

Comment 9 Garth Mollett 2015-09-07 06:27:29 UTC
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1260506]

Comment 11 errata-xmlrpc 2015-09-10 11:44:25 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2015:1766 https://rhn.redhat.com/errata/RHSA-2015-1766.html

Comment 12 errata-xmlrpc 2015-09-10 12:06:03 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2015:1767 https://rhn.redhat.com/errata/RHSA-2015-1767.html

Comment 13 errata-xmlrpc 2015-10-08 12:21:17 UTC
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2015:1876 https://access.redhat.com/errata/RHSA-2015:1876

Comment 14 errata-xmlrpc 2015-10-15 12:34:55 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1894 https://rhn.redhat.com/errata/RHSA-2015-1894.html


Note You need to log in before you can comment on or make changes to this bug.