FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-16 19:33:48 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
48504af7-07ad-11e5-879c-00e0814cab4e	django -- Fixed session flushing in the cached_db backend The Django project reports: A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account. Thanks to Sam Cooke for reporting the issue. Discovery 2015-05-20 Entry 2015-05-31 py27-django ge 1.8 lt 1.8.2 py32-django ge 1.8 lt 1.8.2 py33-django ge 1.8 lt 1.8.2 py34-django ge 1.8 lt 1.8.2 py27-django-devel < 20150531,1 py32-django-devel < 20150531,1 py33-django-devel < 20150531,1 py34-django-devel < 20150531,1 https://www.djangoproject.com/weblog/2015/may/20/security-release/ CVE-2015-3982

VuXML ID

Description

48504af7-07ad-11e5-879c-00e0814cab4e

django -- Fixed session flushing in the cached_db backend

The Django project reports:

A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account.

Thanks to Sam Cooke for reporting the issue.

Discovery 2015-05-20
Entry 2015-05-31
py27-django

ge 1.8 lt 1.8.2

py32-django

ge 1.8 lt 1.8.2

py33-django

ge 1.8 lt 1.8.2

py34-django

ge 1.8 lt 1.8.2

py27-django-devel

< 20150531,1

py32-django-devel

< 20150531,1

py33-django-devel

< 20150531,1

py34-django-devel

< 20150531,1

https://www.djangoproject.com/weblog/2015/may/20/security-release/
CVE-2015-3982