[3.0.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.

Thanks WhiteSage for the report. Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-21 11:44:46 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-25 10:43:50 +0200
commit: 08892bffd275c79ee1f8f67639eb170aaaf1181e (patch)
tree: 5a88bd55785ee497b0613417a4f2eb30017c7203 /docs/releases/2.2.16.txt
parent: db8b935730002f2cff6df957e8adab9561072834 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
index ce700e5043..f0c3ec894a 100644
--- a/docs/releases/2.2.16.txt
+++ b/docs/releases/2.2.16.txt
@@ -4,7 +4,18 @@ Django 2.2.16 release notes
 
 *Expected September 1, 2020*
 
-Django 2.2.16 fixes two data loss bugs in 2.2.15.
+Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
+
+CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
+======================================================================================
+
+On Python 3.7+, :setting:`FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not
+applied to intermediate-level directories created in the process of uploading
+files and to intermediate-level collected static directories when using the
+:djadmin:`collectstatic` management command.
+
+You should review and manually fix permissions on existing intermediate-level
+directories.
 
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-21 11:44:46 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-25 10:43:50 +0200
commit	08892bffd275c79ee1f8f67639eb170aaaf1181e (patch)
tree	5a88bd55785ee497b0613417a4f2eb30017c7203 /docs/releases/2.2.16.txt
parent	db8b935730002f2cff6df957e8adab9561072834 (diff)