Bug 16012

Summary: python-django new security issue CVE-2015-3982
Product: Mageia Reporter: Philippe Makowski <makowski.mageia>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/646893/
Whiteboard:
Source RPM: python-django-1.8-1.mga5 CVE: CVE-2015-3982
Status comment:

Description Philippe Makowski 2015-05-22 11:47:39 CEST 
From upstream :

CVE-2015-3982 - Fixed session flushing in the cached_db backend

A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account.

This is fixed in 1.8.2, Django 1.7 and older are not affected.
Philippe Makowski 2015-05-22 11:49:19 CEST

URL: (none) => https://www.djangoproject.com/weblog/2015/may/20/security-release/
CVE: (none) => CVE-2015-3982
Source RPM: (none) => python-django-1.8-1.mga5

Comment 1 David Walser 2015-05-22 17:14:53 CEST 
Built fine locally, freeze push requested.

CC: (none) => luigiwalser

Comment 2 David Walser 2015-05-22 18:06:56 CEST 
python-django-1.8.2-1.mga5 uploaded for Cauldron.  Thanks for the report!

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 David Walser 2015-06-01 23:47:26 CEST 
Upstream reference:
https://www.djangoproject.com/weblog/2015/may/20/security-release/

Fedora has issued an advisory for this on May 22:
https://lists.fedoraproject.org/pipermail/package-announce/2015-May/159156.html

URL: https://www.djangoproject.com/weblog/2015/may/20/security-release/ => http://lwn.net/Vulnerabilities/646893/