FS#67794 - [python-django] CVE-2020-24583 CVE-2020-24584

Attached to Project: Arch Linux
Opened by loqs (loqs) - Tuesday, 01 September 2020, 17:09 GMT
Last edited by Eli Schwartz (eschwartz) - Tuesday, 01 September 2020, 19:19 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jelle van der Waa (jelly)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+

On Python 3.7 and above, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.

You should review and manually fix permissions on existing intermediate-level directories.


CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+

On Python 3.7 and above, the intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions).


Additional info:
* python-django 3.1-1
* https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Tuesday, 01 September 2020, 19:19 GMT
Reason for closing:  Fixed
Additional comments about closing:  django 3.1.1-1

Loading...