[4.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation.

This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.

This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>

Refs CVE-2020-24583 and #31921.

Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.

Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.

1 files changed, 15 insertions, 0 deletions

diff --git a/docs/releases/4.2.29.txt b/docs/releases/4.2.29.txt
index b780264929..71170a5763 100644
--- a/docs/releases/4.2.29.txt
+++ b/docs/releases/4.2.29.txt
@@ -28,3 +28,18 @@ the previous behavior of ``URLField.to_python()``.
 
 This issue has severity "moderate" according to the :ref:`Django security
 policy <security-disclosure>`.
+
+CVE-2026-25674: Potential incorrect permissions on newly created file system objects
+====================================================================================
+
+Django's file-system storage and file-based cache backends used the process
+``umask`` to control permissions when creating directories. In multi-threaded
+environments, one thread's temporary umask change can affect other threads'
+file and directory creation, resulting in file system objects being created
+with unintended permissions.
+
+Django now applies the requested permissions via :func:`~os.chmod` after
+:func:`~os.mkdir`, removing the dependency on the process-wide umask.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.