summaryrefslogtreecommitdiff
path: root/docs/releases/4.2.29.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/4.2.29.txt')
-rw-r--r--docs/releases/4.2.29.txt15
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/releases/4.2.29.txt b/docs/releases/4.2.29.txt
index b780264929..71170a5763 100644
--- a/docs/releases/4.2.29.txt
+++ b/docs/releases/4.2.29.txt
@@ -28,3 +28,18 @@ the previous behavior of ``URLField.to_python()``.
This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.
+
+CVE-2026-25674: Potential incorrect permissions on newly created file system objects
+====================================================================================
+
+Django's file-system storage and file-based cache backends used the process
+``umask`` to control permissions when creating directories. In multi-threaded
+environments, one thread's temporary umask change can affect other threads'
+file and directory creation, resulting in file system objects being created
+with unintended permissions.
+
+Django now applies the requested permissions via :func:`~os.chmod` after
+:func:`~os.mkdir`, removing the dependency on the process-wide umask.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:13:07 +0000