diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-21 12:43:45 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-08-25 11:09:40 +0200 |
| commit | a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f (patch) | |
| tree | 983d19b0902cde5d010ff6905cfe7d75ce7f07f9 /docs | |
| parent | 375657a71c889c588f723469bd868bd1d40c369f (diff) | |
[2.2.x] Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.
Backport of f56b57976133129b0b351a38bba4ac882badabf0 from master.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/2.2.16.txt | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt index f0c3ec894a..f531871d1a 100644 --- a/docs/releases/2.2.16.txt +++ b/docs/releases/2.2.16.txt @@ -4,7 +4,7 @@ Django 2.2.16 release notes *Expected September 1, 2020* -Django 2.2.16 fixes a security issue and two data loss bugs in 2.2.15. +Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15. CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ ====================================================================================== @@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the You should review and manually fix permissions on existing intermediate-level directories. +CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+ +=============================================================================================================== + +On Python 3.7+, the intermediate-level directories of the file system cache had +the system's standard umask rather than ``0o077`` (no group or others +permissions). + Bugfixes ======== |