Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.

author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-21 12:43:45 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-09-01 09:17:23 +0200
commit: 1853724acaf17ed7414d54c7d2b5563a25025a71 (patch)
tree: 66587ddd9c23bc7b0f2ea10897aa57d3519cd015 /docs/releases/2.2.16.txt
parent: 8d7271578d7b153435b40fe40236ebec43cbf1b9 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
index f0c3ec894a..f531871d1a 100644
--- a/docs/releases/2.2.16.txt
+++ b/docs/releases/2.2.16.txt
@@ -4,7 +4,7 @@ Django 2.2.16 release notes
 
 *Expected September 1, 2020*
 
-Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
+Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
 
 CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
 ======================================================================================
@@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
 You should review and manually fix permissions on existing intermediate-level
 directories.
 
+CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
+===============================================================================================================
+
+On Python 3.7+, the intermediate-level directories of the file system cache had
+the system's standard umask rather than ``0o077`` (no group or others
+permissions).
+
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-21 12:43:45 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-09-01 09:17:23 +0200
commit	1853724acaf17ed7414d54c7d2b5563a25025a71 (patch)
tree	66587ddd9c23bc7b0f2ea10897aa57d3519cd015 /docs/releases/2.2.16.txt
parent	8d7271578d7b153435b40fe40236ebec43cbf1b9 (diff)