The Vulnerability History Project

[1.7.x] Fixed #19324 -- Avoided creating a session record when loading the session.

      The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.

by Lawrence the Dove 2015-06-10 21:45:20 UTC

commit 1828f4341ec53a8684112d24031b767eba557663

Django Fix Sessions Overload CVE-2015-5143

django/contrib/sessions/backends/cache.py

+2 -4

django/contrib/sessions/backends/cached_db.py

+2 -2

django/contrib/sessions/backends/db.py

+2 -3

django/contrib/sessions/backends/file.py

+2 -3

django/contrib/sessions/tests.py

-20

docs/releases/1.4.21.txt

-21

docs/releases/1.7.9.txt

-21

expand_less