FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Django -- multiple vulnerabilities

Affected packages
py35-django22 < 2.2.16
py36-django22 < 2.2.16
py37-django22 < 2.2.16
py38-django22 < 2.2.16
py36-django30 < 3.0.10
py37-django30 < 3.0.10
py38-django30 < 3.0.10
py36-django31 < 3.1.1
py37-django31 < 3.1.1
py38-django31 < 3.1.1

Details

VuXML ID 002432c8-ef6a-11ea-ba8f-08002728f74c
Discovery 2020-09-01
Entry 2020-09-05

Django Release notes:

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions).

[source]

References

CVE Name CVE-2020-24583
CVE Name CVE-2020-24584
URL https://docs.djangoproject.com/en/2.2/releases/2.2.16/
URL https://docs.djangoproject.com/en/3.0/releases/3.0.10/
URL https://docs.djangoproject.com/en/3.1/releases/3.1.1/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.