summaryrefslogtreecommitdiff
path: root/docs/releases/5.2.12.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/5.2.12.txt')
-rw-r--r--docs/releases/5.2.12.txt15
1 files changed, 15 insertions, 0 deletions
diff --git a/docs/releases/5.2.12.txt b/docs/releases/5.2.12.txt
index be2c7bc807..177bfd1ced 100644
--- a/docs/releases/5.2.12.txt
+++ b/docs/releases/5.2.12.txt
@@ -30,6 +30,21 @@ the previous behavior of ``URLField.to_python()``.
This issue has severity "moderate" according to the :ref:`Django security
policy <security-disclosure>`.
+CVE-2026-25674: Potential incorrect permissions on newly created file system objects
+====================================================================================
+
+Django's file-system storage and file-based cache backends used the process
+``umask`` to control permissions when creating directories. In multi-threaded
+environments, one thread's temporary umask change can affect other threads'
+file and directory creation, resulting in file system objects being created
+with unintended permissions.
+
+Django now applies the requested permissions via :func:`~os.chmod` after
+:func:`~os.mkdir`, removing the dependency on the process-wide umask.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 18:57:10 +0000