CVE-2015-5964

Published: 18 August 2015

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors.

Priority

Medium

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
Upstream
Released (1.4.22,1.7.10,1.8.4)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.6.1-2ubuntu0.10)