| Summary: | <dev-python/django-1.9.2: User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/ | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
commit 4c3de656ba4120e42605f338f1a6c604b9a6b061 Author: Justin Lecher <jlec@gentoo.org> Date: Tue Feb 2 16:05:40 2016 +0100 dev-python/django: Version Bump & clean versions vulnerable for CVE-2016-2048 Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c3de656ba4120e42605f338f1a6c604b9a6b061 @sec, tree is clean again. |
From ${URL} : CVE-2016-2048: User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission. Thanks Myk Willis for reporting the issue. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.