[6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation.

This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.

This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

Refs CVE-2020-24583 and #31921.

Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.

Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.

3 files changed, 45 insertions, 0 deletions

diff --git a/docs/releases/4.2.29.txt b/docs/releases/4.2.29.txt
index b780264929..71170a5763 100644
--- a/docs/releases/4.2.29.txt
+++ b/docs/releases/4.2.29.txt
@@ -28,3 +28,18 @@ the previous behavior of ``URLField.to_python()``.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-25674: Potential incorrect permissions on newly created file system objects
+====================================================================================
+
+Django's file-system storage and file-based cache backends used the process
+``umask`` to control permissions when creating directories. In multi-threaded
+environments, one thread's temporary umask change can affect other threads'
+file and directory creation, resulting in file system objects being created
+with unintended permissions.
+
+Django now applies the requested permissions via :func:`~os.chmod` after
+:func:`~os.mkdir`, removing the dependency on the process-wide umask.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/5.2.12.txt b/docs/releases/5.2.12.txt
index be2c7bc807..177bfd1ced 100644
--- a/docs/releases/5.2.12.txt
+++ b/docs/releases/5.2.12.txt
@@ -30,6 +30,21 @@ the previous behavior of ``URLField.to_python()``.
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
 
+CVE-2026-25674: Potential incorrect permissions on newly created file system objects
+====================================================================================
+
+Django's file-system storage and file-based cache backends used the process
+``umask`` to control permissions when creating directories. In multi-threaded
+environments, one thread's temporary umask change can affect other threads'
+file and directory creation, resulting in file system objects being created
+with unintended permissions.
+
+Django now applies the requested permissions via :func:`~os.chmod` after
+:func:`~os.mkdir`, removing the dependency on the process-wide umask.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/6.0.3.txt b/docs/releases/6.0.3.txt
index 6750385c1e..31f12b1792 100644
--- a/docs/releases/6.0.3.txt
+++ b/docs/releases/6.0.3.txt
@@ -29,6 +29,21 @@ the previous behavior of ``URLField.to_python()``.
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
 
+CVE-2026-25674: Potential incorrect permissions on newly created file system objects
+====================================================================================
+
+Django's file-system storage and file-based cache backends used the process
+``umask`` to control permissions when creating directories. In multi-threaded
+environments, one thread's temporary umask change can affect other threads'
+file and directory creation, resulting in file system objects being created
+with unintended permissions.
+
+Django now applies the requested permissions via :func:`~os.chmod` after
+:func:`~os.mkdir`, removing the dependency on the process-wide umask.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
 Bugfixes
 ========