[Buildroot] [PATCH] package/python-django: security bump to version 3.0.10

Peter Korsgaard peter at korsgaard.com
Sat Sep 5 07:41:53 UTC 2020


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
 > On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
 > intermediate-level directories created in the process of uploading files and
 > to intermediate-level collected static directories when using the
 > collectstatic management command.

 > You should review and manually fix permissions on existing
 > intermediate-level directories.

 > CVE-2020-24584: Permission escalation in intermediate-level directories of
 > the file system cache on Python 3.7+
 > On Python 3.7+, the intermediate-level directories of the file system cache
 > had the system’s standard umask rather than 0o077 (no group or others
 > permissions).

 > https://docs.djangoproject.com/en/dev/releases/3.0.10/

 > In addition, 3.0.8..10 contains a number of bugfixes.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2020.02.x and 2020.05.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list