We can not increase upper bounds here. I agree, Debian shipped 2014.2 with django-1.7, but e.g for Django- openstack-auth we just recently increased the upper cap to include django-1.7. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1457551 Title: Another Horizon login page vulnerability to a DoS attack Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: This bug is very similar to: https://bugs.launchpad.net/bugs/1394370 Steps to reproduce: 1) Setup Horizon to use db as session engine (using this doc: http://docs.openstack.org/admin-guide-cloud/content/dashboard-session-database.html). I've used MySQL. 2) Run 'for i in {1..100}; do curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null; done' from your terminal. I've got 100 rows in django_session after this. I've used devstack installation just with updated master branch. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1457551/+subscriptions