CVE-2011-4136
Published: 19 October 2011
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Released
(1.1.1-2ubuntu1.4)
|
|
maverick |
Released
(1.2.3-1ubuntu0.2.10.10.3)
|
|
natty |
Released
(1.2.5-1ubuntu1.1)
|
|
oneiric |
Released
(1.3-2ubuntu1.1)
|
|
upstream |
Released
(1.3.1-1)
|
|
Patches: upstream: https://code.djangoproject.com/changeset/16765 upstream: https://code.djangoproject.com/changeset/16762 |