(RHSA-2015:1876) Moderate: python-django security update

2015-10-0811:49:27

access.redhat.com

EPSS

0.024

Percentile

89.9%

JSON

Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don’t Repeat Yourself) principle.

It was found that Django incorrectly handled the session store. A session
could be created by anonymously accessing the
django.contrib.auth.views.logout view if it was not decorated correctly
with django.contrib.auth.decorators.login_required. A remote attacker could
use this flaw to fill up the session store or cause other users’ session
records to be evicted by requesting a large number of new sessions.
(CVE-2015-5963)

Red Hat would like to thank the upstream Django project for reporting this
issue.

All python-django users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.

OSVersionArchitecturePackageVersionFilename
RedHat7srcpython-django< 1.8.4-1.el7python-django-1.8.4-1.el7.src.rpm
RedHat7noarchpython-django-doc< 1.8.4-1.el7python-django-doc-1.8.4-1.el7.noarch.rpm
RedHat7noarchpython-django< 1.8.4-1.el7python-django-1.8.4-1.el7.noarch.rpm
RedHat7noarchpython-django-bash-completion< 1.8.4-1.el7python-django-bash-completion-1.8.4-1.el7.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	7	src	python-django	< 1.8.4-1.el7	python-django-1.8.4-1.el7.src.rpm
RedHat	7	noarch	python-django-doc	< 1.8.4-1.el7	python-django-doc-1.8.4-1.el7.noarch.rpm
RedHat	7	noarch	python-django	< 1.8.4-1.el7	python-django-1.8.4-1.el7.noarch.rpm
RedHat	7	noarch	python-django-bash-completion	< 1.8.4-1.el7	python-django-bash-completion-1.8.4-1.el7.noarch.rpm