The Vulnerability History Project

[1.8.x] Fixed #19324 -- Avoided creating a session record when loading the session.

      The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.

by Lawrence the Dove 2015-06-10 21:45:20 UTC

commit 66d12d1ababa8f062857ee5eb43276493720bf16

Django Fix Sessions Overload CVE-2015-5143

django/contrib/sessions/backends/cache.py

+2 -4

django/contrib/sessions/backends/cached_db.py

+2 -2

django/contrib/sessions/backends/db.py

+2 -3

django/contrib/sessions/backends/file.py

+2 -3

docs/releases/1.4.21.txt

-21

docs/releases/1.7.9.txt

-21

docs/releases/1.8.3.txt

-21

tests/sessions_tests/tests.py

-20

expand_less