Open Stack

Hi Kurt,

The upstream Django team would be extremely happy if you refrained
from assigning a CVE for a clearly documented security tradeoff, which
is mentioned covered in both the Django and the Horizon docs, as well
as in the Openstack Security Guide.

The upshot of this entire business is that if you rely soly on
client-side cookies, logging out deletes the cookie from a local
browser, but does not actually invalidate it until the session expiry
timeout. If you don't like this particular technical limitation using
client side sessions, you are advised not to use that cookie backend.

https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions

This does NOT deserve a CVE.

Regards,
-Paul

On Fri, Oct 4, 2013 at 4:09 AM, Kurt Seifried <kseifried at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/03/2013 08:22 PM, Jeffrey Walton wrote:
>> On Thu, Oct 3, 2013 at 6:30 PM, Jeffrey Walton <noloader at gmail.com>
>> wrote:
>>> Here's some more reading on the subject. It was recently updated,
>>> and effectively states django is susceptible to session
>>> management attacks under some configurations.
>>> https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions.
>>
>>>
> Its now being tracked: VU#160862 (thanks Kurt).
>
> Just to be clear I didn't do anything yet. That's a US-CERT
> Vulnerability Note number, nothing to do with CVE. Did you contact the
> Django people about this issue to report it upstream yet? Adding
> security at djangoproject.com in case they haven't seen it yet.
>
> This is regarding
>
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
>
> I'm going to assign a CVE if I can somewhat confirm a CVE hasn't been
> requested yet.
>
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
>
> iQIcBAEBAgAGBQJSTjFMAAoJEBYNRVNeJnmTsekP/2igBidUl26EmyQg09qOYT7S
> mYbn60jqyaH+yyBpZc6RK6bhWxK5vOrSD46l8ag7oxX3SXQNJmv8dD3ua5nMvJfH
> ynrbm9oXboU04tw3ij5Texvux2OmBqdf1wW/zONhEMO4XLP9QaT82zTINbLVMyR7
> QVPaFAYWT0Ba/QEEIbG2cJ3v14dRl9lqB/qOlsx1CrcwczqGlLYPjvhctTG4NZRW
> op6f+XrEgBb5GAd/YrQdQrKKo5vlIwVRSuSRbYFLaQZU/4gAy0rMCUjuXxO+nt8W
> 1FaXryBSjr4MBffE2ou7XDwrUSJJkqceEhEKF3mKaRLRTjXbV6/u2Slc9EtlaS9t
> k0wu8wMx7xnSsZVTldBaS4Pgh49ZiDqqxGRncb8Gy+GIAvrh3FswLNxJa7w/zDBT
> JIewqKvSiWKqgrRc2HPw2w9QWnX3OhXGRxmbTRUuEse/dlQ2OqnT7z1mPG2AmJoj
> I+tsis7btojs0OEXeyOOJVJzINWSCZcF1PAz1zwO5c4x7lA9la6dgaOKQPPFctjR
> UKq30ztQ66eXiROydt/Vz1zUgPn/KUHB34L2jyPg/otnx/TLLisCEXxXb4TL68nx
> 0WfPTVK5zRl0SqmSdizwHaCDepaexh756QGIJyRrd8br1O9GKj1Lj5g6Vx4PDiLO
> KdabNJIvEImC8HPAPwoE
> =lzjh
> -----END PGP SIGNATURE-----