FreeBSD : django -- Fixed session flushing in the cached_db backend (48504af7-07ad-11e5-879c-00e0814cab4e)

medium Nessus Plugin ID 83909

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The Django project reports :

A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account.

Thanks to Sam Cooke for reporting the issue.

Solution

Update the affected packages.

See Also

https://www.djangoproject.com/weblog/2015/may/20/security-release/

http://www.nessus.org/u?bdc741f9

Plugin Details

Severity: Medium

ID: 83909

File Name: freebsd_pkg_48504af707ad11e5879c00e0814cab4e.nasl

Version: 2.5

Type: local

Published: 6/1/2015

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-django, p-cpe:/a:freebsd:freebsd:py27-django-devel, p-cpe:/a:freebsd:freebsd:py32-django, p-cpe:/a:freebsd:freebsd:py32-django-devel, p-cpe:/a:freebsd:freebsd:py33-django, p-cpe:/a:freebsd:freebsd:py33-django-devel, p-cpe:/a:freebsd:freebsd:py34-django, p-cpe:/a:freebsd:freebsd:py34-django-devel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 5/31/2015

Vulnerability Publication Date: 5/20/2015

Reference Information

CVE: CVE-2015-3982