Explore top 10 tips to secure your open-source projects now. Read More
×
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don't Repeat Yourself) principle.
It was found that Django incorrectly handled the session store. A session
could be created by anonymously accessing the
django.contrib.auth.views.logout view if it was not decorated correctly
with django.contrib.auth.decorators.login_required. A remote attacker could
use this flaw to fill up the session store or cause other users' session
records to be evicted by requesting a large number of new sessions.
(CVE-2015-5963)
Red Hat would like to thank the upstream Django project for reporting this
issue.
All python-django users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.
https://access.redhat.com/security/cve/CVE-2015-5963 https://access.redhat.com/security/updates/classification#moderate
Red Hat Enterprise Linux OpenStack Platform 7.0 for RHEL 7:
Source:
python-django-1.8.4-1.el7.src.rpm
noarch:
python-django-1.8.4-1.el7.noarch.rpm
python-django-bash-completion-1.8.4-1.el7.noarch.rpm
python-django-doc-1.8.4-1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key
Updated python-django packages that fix one security issue are nowavailable for Red Hat Enterprise Linux OpenStack Platform 7.0.Red Hat Product Security has rated this update as having Moderate securityimpact. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available from the CVE link in theReferences section.
Red Hat Enterprise Linux OpenStack Platform 7.0 for RHEL 7 - noarch
1252890 - CVE-2015-5963 python-django: Denial-of-service possibility in logout() view by filling session store
Get the latest Linux and open source security news straight to your inbox.