The Vulnerability History Project

[1.4.x] Fixed #19324 -- Avoided creating a session record when loading the session.

      The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.

by Lawrence the Dove 2015-06-10 21:45:20 UTC

commit 2e47f3e401c29bc2ba5ab794d483cb0820855fb9

Django Fix Sessions Overload CVE-2015-5143

django/contrib/sessions/backends/cache.py

+2 -4

django/contrib/sessions/backends/cached_db.py

+2 -3

django/contrib/sessions/backends/db.py

+2 -3

django/contrib/sessions/backends/file.py

+3 -4

django/contrib/sessions/tests.py

-19

docs/releases/1.4.21.txt

-21

expand_less