Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739952 (CVE-2020-24583, CVE-2020-24584) - <dev-python/django-{2.2.16, 3.0.10}: Multiple vulnerabilities (CVE-2020-{24583,24584})
Summary: <dev-python/django-{2.2.16, 3.0.10}: Multiple vulnerabilities (CVE-2020-{2458...
Status: RESOLVED FIXED
Alias: CVE-2020-24583, CVE-2020-24584
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 740208
Blocks:
  Show dependency tree
 
Reported: 2020-09-02 03:20 UTC by Sam James
Modified: 2021-01-25 23:54 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-2.2.16-r1 dev-python/django-3.0.10-r1
Runtime testing required: ---
nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 03:20:13 UTC 
* CVE-2020-24583

Description:
"An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."

* CVE-2020-24584

Description:
"An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 03:20:45 UTC 
Please bump to 2.2.16, 3.0.10, 3.1.1.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 06:09:31 UTC 
Already started doing that, Sir, before I read the mail!
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 17:25:42 UTC 
(In reply to Michał Górny from comment #2)
> Already started doing that, Sir, before I read the mail!

Whatever you say ;). Thank you!
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-03 18:44:32 UTC 
x86 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-03 18:44:57 UTC 
amd64 stable
Comment 6 NATTkA bot gentoo-dev 2020-09-03 18:48:49 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 7 Larry the Git Cow gentoo-dev 2020-09-03 19:58:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=468ced3f2059b2c230993b58dc1b221e0b74355d

commit 468ced3f2059b2c230993b58dc1b221e0b74355d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-03 19:57:37 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-03 19:57:37 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/739952
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |  5 ---
 dev-python/django/django-2.2.13.ebuild | 78 ---------------------------------
 dev-python/django/django-2.2.15.ebuild | 78 ---------------------------------
 dev-python/django/django-3.0.8.ebuild  | 79 ----------------------------------
 dev-python/django/django-3.0.9.ebuild  | 79 ----------------------------------
 dev-python/django/django-3.1.ebuild    | 79 ----------------------------------
 6 files changed, 398 deletions(-)
Comment 8 NATTkA bot gentoo-dev 2020-10-22 07:40:53 UTC 
Unable to check for sanity:

> no match for package: dev-python/django-3.0.10
Comment 9 NATTkA bot gentoo-dev 2020-10-22 07:52:57 UTC 
Unable to check for sanity:

> no match for package: dev-python/django-2.2.16-r1