Summary: | <dev-python/django-{1.4.22,1.7.10,1.8.4}: Denial-of-service (CVE-2015-{5963,5964}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Justin Lecher (RETIRED) <jlec> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Justin Lecher (RETIRED)
2015-08-18 18:54:04 UTC
commit 449ca833b71668efa0c96f33497d7ca99e627b61 Author: Justin Lecher <jlec@gentoo.org> Date: Tue Aug 18 21:44:40 2015 +0200 dev-python/django: Version Bump for CVE-2015-{5963,5964} Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=558096 Package-Manager: portage-2.2.20.1 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=449ca833b71668efa0c96f33497d7ca99e627b61 @arches please stabilize dev-python/django-1.4.22 dev-python/django-1.7.10 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. commit 783a4be550dab8510f3c99a0d3a9605214bf215a Author: Justin Lecher <jlec@gentoo.org> Date: Thu Aug 20 11:19:16 2015 +0200 dev-python/django: Drop vulnerable versions for CVE-2015-{5963,5964} * drop KEYWORDS from masked versions Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=558096 Package-Manager: portage-2.2.20.1 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=783a4be550dab8510f3c99a0d3a9605214bf215a Vote: NO. CVE-2015-5964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5964): The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty sessions in certain circumstances, which allows remote attackers to cause a denial of service (session store consumption) via unspecified vectors. CVE-2015-5963 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5963): contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record. GLSA Vote: No |