===========================Django 1.4.22 release notes===========================*August 18, 2015*Django 1.4.22 fixes a security issue in 1.4.21.It also fixes support with pip 7+ by disabling wheel support. Older versionsof 1.4 would silently build a broken wheel when installed with those versionsof pip.Denial-of-service possibility in ``logout()`` view by filling session store===========================================================================Previously, a session could be created when anonymously accessing the``django.contrib.auth.views.logout()`` view (provided it wasn't decoratedwith :func:`~django.contrib.auth.decorators.login_required` as done in theadmin). This could allow an attacker to easily create many new session recordsby sending repeated requests, potentially filling up the session store orcausing other users' session records to be evicted.The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has beenmodified to no longer create empty session records, including when:setting:`SESSION_SAVE_EVERY_REQUEST` is active.Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and``cache_db.SessionStore.flush()`` methods have been modified to avoid creatinga new empty session. Maintainers of third-party session backends should checkif the same vulnerability is present in their backend and correct it if so.