Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 739952 (CVE-2020-24583, CVE-2020-24584) - <dev-python/django-{2.2.16, 3.0.10}: Multiple vulnerabilities (CVE-2020-{24583,24584})
Summary: <dev-python/django-{2.2.16, 3.0.10}: Multiple vulnerabilities (CVE-2020-{2458...
Status: RESOLVED FIXED
Alias: CVE-2020-24583, CVE-2020-24584
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.djangoproject.com/weblog/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 740208
Blocks:
  Show dependency tree
 
Reported: 2020-09-02 03:20 UTC by Sam James
Modified: 2021-01-25 23:54 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/django-2.2.16-r1 dev-python/django-3.0.10-r1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-02 03:20:13 UTC
* CVE-2020-24583

Description:
"An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."

* CVE-2020-24584

Description:
"An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077."
Comment 1 Sam James archtester gentoo-dev Security 2020-09-02 03:20:45 UTC
Please bump to 2.2.16, 3.0.10, 3.1.1.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-09-02 06:09:31 UTC
Already started doing that, Sir, before I read the mail!
Comment 3 Sam James archtester gentoo-dev Security 2020-09-02 17:25:42 UTC
(In reply to Michał Górny from comment #2)
> Already started doing that, Sir, before I read the mail!

Whatever you say ;). Thank you!
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-09-03 18:44:32 UTC
x86 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2020-09-03 18:44:57 UTC
amd64 stable
Comment 6 NATTkA bot gentoo-dev 2020-09-03 18:48:49 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 7 Larry the Git Cow gentoo-dev 2020-09-03 19:58:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=468ced3f2059b2c230993b58dc1b221e0b74355d

commit 468ced3f2059b2c230993b58dc1b221e0b74355d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-09-03 19:57:37 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-09-03 19:57:37 +0000

    dev-python/django: Remove old
    
    Bug: https://bugs.gentoo.org/739952
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/django/Manifest             |  5 ---
 dev-python/django/django-2.2.13.ebuild | 78 ---------------------------------
 dev-python/django/django-2.2.15.ebuild | 78 ---------------------------------
 dev-python/django/django-3.0.8.ebuild  | 79 ----------------------------------
 dev-python/django/django-3.0.9.ebuild  | 79 ----------------------------------
 dev-python/django/django-3.1.ebuild    | 79 ----------------------------------
 6 files changed, 398 deletions(-)
Comment 8 NATTkA bot gentoo-dev 2020-10-22 07:40:53 UTC
Unable to check for sanity:

> no match for package: dev-python/django-3.0.10
Comment 9 NATTkA bot gentoo-dev 2020-10-22 07:52:57 UTC
Unable to check for sanity:

> no match for package: dev-python/django-2.2.16-r1