Channels security release issued: 3.0.3

Posted by Carlton Gibson on Dec. 28, 2020

In accordance with our security release policy, the Django team is issuing Channels 3.0.3. This release addresses the security issue detailed below. We encourage all users of Channels to upgrade as soon as possible.

CVE-2020-35681: Potential leakage of session data using legacy AsgiHandler

The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data.

This issue affects Channels 3.0.x before 3.0.3, and is resolved in Channels 3.0.3.

Users of ProtocolTypeRouter not explicitly specifying the handler for the 'http' key, or those explicitly using channels.http.AsgiHandler, likely to support Django v2.2, are affected and should update immediately.

Please see the Channels version 3.0.3 release notes for full details.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

Back to Top