PublicDateAtUSN: 2011-10-19
Candidate: CVE-2011-4136
PublicDate: 2011-10-19 10:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4136
 https://ubuntu.com/security/notices/USN-1297-1
Description:
 django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when
 session data is stored in the cache, uses the root namespace for both
 session identifiers and application-data keys, which allows remote
 attackers to modify a session by triggering use of a key that is equal to
 that session's identifier.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Paul McMillan
Assigned-to: jdstrand
CVSS: 

Patches_python-django:
 upstream: https://code.djangoproject.com/changeset/16765 (1.2)
 upstream: https://code.djangoproject.com/changeset/16762 (1.3)
upstream_python-django: released (1.3.1-1)
hardy_python-django: ignored (reached end-of-life)
lucid_python-django: released (1.1.1-2ubuntu1.4)
maverick_python-django: released (1.2.3-1ubuntu0.2.10.10.3)
natty_python-django: released (1.2.5-1ubuntu1.1)
oneiric_python-django: released (1.3-2ubuntu1.1)
devel_python-django: not-affected (1.3.1-1ubuntu1)