Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.

Thanks WhiteSage for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-21 11:44:46 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2020-09-01 09:17:23 +0200
commit: 8d7271578d7b153435b40fe40236ebec43cbf1b9 (patch)
tree: 8ff6135d4131b005510b2197e537596d5a9d9fca /docs/releases/2.2.16.txt
parent: 2bc38bc7cae002f949157d95e3f0c19ea6b8ca5c (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
index ce700e5043..f0c3ec894a 100644
--- a/docs/releases/2.2.16.txt
+++ b/docs/releases/2.2.16.txt
@@ -4,7 +4,18 @@ Django 2.2.16 release notes
 
 *Expected September 1, 2020*
 
-Django 2.2.16 fixes two data loss bugs in 2.2.15.
+Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
+
+CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
+======================================================================================
+
+On Python 3.7+, :setting:`FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not
+applied to intermediate-level directories created in the process of uploading
+files and to intermediate-level collected static directories when using the
+:djadmin:`collectstatic` management command.
+
+You should review and manually fix permissions on existing intermediate-level
+directories.
 
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-21 11:44:46 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2020-09-01 09:17:23 +0200
commit	8d7271578d7b153435b40fe40236ebec43cbf1b9 (patch)
tree	8ff6135d4131b005510b2197e537596d5a9d9fca /docs/releases/2.2.16.txt
parent	2bc38bc7cae002f949157d95e3f0c19ea6b8ca5c (diff)