Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573654 (CVE-2016-2048) - <dev-python/django-1.9.2: User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True
Summary: <dev-python/django-1.9.2: User with "change" but not "add" permission can cre...
Status: RESOLVED FIXED
Alias: CVE-2016-2048
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-02 11:07 UTC by Agostino Sarubbo
Modified: 2016-03-29 10:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-02 11:07:57 UTC
From ${URL} :

CVE-2016-2048: User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True

If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission.

Thanks Myk Willis for reporting the issue.


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2016-02-02 15:06:43 UTC
commit 4c3de656ba4120e42605f338f1a6c604b9a6b061
Author: Justin Lecher <jlec@gentoo.org>
Date:   Tue Feb 2 16:05:40 2016 +0100

    dev-python/django: Version Bump & clean versions vulnerable for CVE-2016-2048

    Package-Manager: portage-2.2.27
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c3de656ba4120e42605f338f1a6c604b9a6b061
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2016-02-02 15:06:56 UTC
@sec, tree is clean again.