From ${URL} : CVE-2016-2048: User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission. Thanks Myk Willis for reporting the issue. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
commit 4c3de656ba4120e42605f338f1a6c604b9a6b061 Author: Justin Lecher <jlec@gentoo.org> Date: Tue Feb 2 16:05:40 2016 +0100 dev-python/django: Version Bump & clean versions vulnerable for CVE-2016-2048 Package-Manager: portage-2.2.27 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c3de656ba4120e42605f338f1a6c604b9a6b061
@sec, tree is clean again.