svn commit: r388116 - head/security/vuxml

Sun May 31 16:07:53 UTC 2015

Author: lwhsu
Date: Sun May 31 16:07:52 2015
New Revision: 388116
URL: https://svnweb.freebsd.org/changeset/ports/388116

Log:
  - Document django vulnerability CVE-2015-3982

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================

--- head/security/vuxml/vuln.xml	Sun May 31 15:59:17 2015	(r388115)
+++ head/security/vuxml/vuln.xml	Sun May 31 16:07:52 2015	(r388116)
@@ -57,6 +57,73 @@ Notes:
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="48504af7-07ad-11e5-879c-00e0814cab4e">
+    <topic>django -- Fixed session flushing in the cached_db backend</topic>
+    <affects>
+      <package>
+	<name>py27-django</name>
+	<range><ge>1.8</ge><lt>1.8.2</lt></range>
+      </package>
+      <package>
+	<name>py32-django</name>
+	<range><ge>1.8</ge><lt>1.8.2</lt></range>
+      </package>
+      <package>
+	<name>py33-django</name>
+	<range><ge>1.8</ge><lt>1.8.2</lt></range>
+      </package>
+      <package>
+	<name>py34-django</name>
+	<range><ge>1.8</ge><lt>1.8.2</lt></range>
+      </package>
+      <package>
+	<name>py27-django-devel</name>
+	<range><lt>20150531,1</lt></range>
+      </package>
+      <package>
+	<name>py32-django-devel</name>
+	<range><lt>20150531,1</lt></range>
+      </package>
+      <package>
+	<name>py33-django-devel</name>
+	<range><lt>20150531,1</lt></range>
+      </package>
+      <package>
+	<name>py34-django-devel</name>
+	<range><lt>20150531,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Django project reports:</p>
+	<blockquote cite="https://www.djangoproject.com/weblog/2015/may/20/security-release/">
+	  <p>A change to session.flush() in the cached_db session backend in
+	    Django 1.8 mistakenly sets the session key to an empty string
+	    rather than None. An empty string is treated as a valid session key
+	    and the session cookie is set accordingly. Any users with an empty
+	    string in their session cookie will use the same session store.
+	    session.flush() is called by django.contrib.auth.logout() and, more
+	    seriously, by django.contrib.auth.login() when a user switches accounts.
+	    If a user is logged in and logs in again to a different account
+	    (without logging out) the session is flushed to avoid reuse.
+	    After the session is flushed (and its session key becomes '') the
+	    account details are set on the session and the session is saved.
+	    Any users with an empty string in their session cookie will now be
+	    logged into that account.</p>
+	  <p>Thanks to Sam Cooke for reporting the issue.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://www.djangoproject.com/weblog/2015/may/20/security-release/</url>
+      <cvename>CVE-2015-3982</cvename>
+    </references>
+    <dates>
+      <discovery>2015-05-20</discovery>
+      <entry>2015-05-31</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="9471ec47-05a2-11e5-8fda-002590263bf5">
     <topic>proxychains-ng -- current path as the first directory for the library search path</topic>
     <affects>
