FreeBSD : django -- Fixed session flushing in the cached_db backend (48504af7-07ad-11e5-879c-00e0814cab4e)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The Django project reports :

A change to session.flush() in the cached_db session backend in Django
1.8 mistakenly sets the session key to an empty string rather than
None. An empty string is treated as a valid session key and the
session cookie is set accordingly. Any users with an empty string in
their session cookie will use the same session store. session.flush()
is called by django.contrib.auth.logout() and, more seriously, by
django.contrib.auth.login() when a user switches accounts. If a user
is logged in and logs in again to a different account (without logging
out) the session is flushed to avoid reuse. After the session is
flushed (and its session key becomes '') the account details are set
on the session and the session is saved. Any users with an empty
string in their session cookie will now be logged into that account.

Thanks to Sam Cooke for reporting the issue.

See also :

https://www.djangoproject.com/weblog/2015/may/20/security-release/
http://www.nessus.org/u?86e3e8a7

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 83909 ()

Bugtraq ID:

CVE ID: CVE-2015-3982

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now