Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2013 08:22 PM, Jeffrey Walton wrote:
> On Thu, Oct 3, 2013 at 6:30 PM, Jeffrey Walton <noloader at gmail.com>
> wrote:
>> Here's some more reading on the subject. It was recently updated,
>> and effectively states django is susceptible to session
>> management attacks under some configurations. 
>> https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions.
>
>> 
Its now being tracked: VU#160862 (thanks Kurt).

Just to be clear I didn't do anything yet. That's a US-CERT
Vulnerability Note number, nothing to do with CVE. Did you contact the
Django people about this issue to report it upstream yet? Adding
security at djangoproject.com in case they haven't seen it yet.

This is regarding

http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/

I'm going to assign a CVE if I can somewhat confirm a CVE hasn't been
requested yet.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSTjFMAAoJEBYNRVNeJnmTsekP/2igBidUl26EmyQg09qOYT7S
mYbn60jqyaH+yyBpZc6RK6bhWxK5vOrSD46l8ag7oxX3SXQNJmv8dD3ua5nMvJfH
ynrbm9oXboU04tw3ij5Texvux2OmBqdf1wW/zONhEMO4XLP9QaT82zTINbLVMyR7
QVPaFAYWT0Ba/QEEIbG2cJ3v14dRl9lqB/qOlsx1CrcwczqGlLYPjvhctTG4NZRW
op6f+XrEgBb5GAd/YrQdQrKKo5vlIwVRSuSRbYFLaQZU/4gAy0rMCUjuXxO+nt8W
1FaXryBSjr4MBffE2ou7XDwrUSJJkqceEhEKF3mKaRLRTjXbV6/u2Slc9EtlaS9t
k0wu8wMx7xnSsZVTldBaS4Pgh49ZiDqqxGRncb8Gy+GIAvrh3FswLNxJa7w/zDBT
JIewqKvSiWKqgrRc2HPw2w9QWnX3OhXGRxmbTRUuEse/dlQ2OqnT7z1mPG2AmJoj
I+tsis7btojs0OEXeyOOJVJzINWSCZcF1PAz1zwO5c4x7lA9la6dgaOKQPPFctjR
UKq30ztQ66eXiROydt/Vz1zUgPn/KUHB34L2jyPg/otnx/TLLisCEXxXb4TL68nx
0WfPTVK5zRl0SqmSdizwHaCDepaexh756QGIJyRrd8br1O9GKj1Lj5g6Vx4PDiLO
KdabNJIvEImC8HPAPwoE
=lzjh
-----END PGP SIGNATURE-----