[2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.

Thanks WhiteSage for the report. Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-21 11:44:46 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-08-25 10:59:42 +0200
commit: 375657a71c889c588f723469bd868bd1d40c369f (patch)
tree: dd43c664dd737cc5888329f8a9d63def850b7520 /docs
parent: dc39e62e6b652f006a77b91df02e1dc801597396 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
index ce700e5043..f0c3ec894a 100644
--- a/docs/releases/2.2.16.txt
+++ b/docs/releases/2.2.16.txt
@@ -4,7 +4,18 @@ Django 2.2.16 release notes
 
 *Expected September 1, 2020*
 
-Django 2.2.16 fixes two data loss bugs in 2.2.15.
+Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15.
+
+CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
+======================================================================================
+
+On Python 3.7+, :setting:`FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not
+applied to intermediate-level directories created in the process of uploading
+files and to intermediate-level collected static directories when using the
+:djadmin:`collectstatic` management command.
+
+You should review and manually fix permissions on existing intermediate-level
+directories.
 
 Bugfixes
 ========
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-21 11:44:46 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-08-25 10:59:42 +0200
commit	375657a71c889c588f723469bd868bd1d40c369f (patch)
tree	dd43c664dd737cc5888329f8a9d63def850b7520 /docs
parent	dc39e62e6b652f006a77b91df02e1dc801597396 (diff)