Security release issued: 1.8.2

Posted by Tim Graham on May 20, 2015

In accordance with our security release policy, the Django team is issuing Django 1.8.2. This release is now available on PyPI and our download page. This release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch has also been updated.

CVE-2015-3982 - Fixed session flushing in the cached_db backend

A change to session.flush() in the cached_db session backend in Django 1.8 mistakenly sets the session key to an empty string rather than None. An empty string is treated as a valid session key and the session cookie is set accordingly. Any users with an empty string in their session cookie will use the same session store. session.flush() is called by django.contrib.auth.logout() and, more seriously, by django.contrib.auth.login() when a user switches accounts. If a user is logged in and logs in again to a different account (without logging out) the session is flushed to avoid reuse. After the session is flushed (and its session key becomes '') the account details are set on the session and the session is saved. Any users with an empty string in their session cookie will now be logged into that account.

Thanks to Sam Cooke for reporting the issue.

Affected versions

  • Django master development branch
  • Django 1.8

Django 1.7 and older are not affected.

Resolution

Patches have been applied to Django's master development branch and to the 1.8 release branch. The patches may be obtained directly from the following changesets:

The following new release has been issued:

The PGP key ID used for this release is Tim Graham: 1E8ABDC773EDE252.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

Back to Top