CVE-2011-4136

Published: 19 October 2011

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

Priority

Status

Package	Release	Status
python-django Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Released (1.1.1-2ubuntu1.4)
	maverick	Released (1.2.3-1ubuntu0.2.10.10.3)
	natty	Released (1.2.5-1ubuntu1.1)
	oneiric	Released (1.3-2ubuntu1.1)
	upstream	Released (1.3.1-1)
	Patches: upstream: https://code.djangoproject.com/changeset/16765 upstream: https://code.djangoproject.com/changeset/16762

References

https://ubuntu.com/security/notices/USN-1297-1
https://www.cve.org/CVERecord?id=CVE-2011-4136
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.