Fixed CVE-2020-24584 -- Fixed permission escalation in intermediate-level directories of the file system cache on Python 3.7+.

2025-10-31 09:41:08 +00:00 · 2020-08-21 12:43:45 +02:00
parent 8d7271578d
commit 1853724aca
5 changed files with 55 additions and 5 deletions
--- a/docs/releases/3.0.10.txt
+++ b/docs/releases/3.0.10.txt
@@ -4,7 +4,7 @@ Django 3.0.10 release notes

 *Expected September 1, 2020*

-Django 3.0.10 fixes a security issue and two data loss bugs in 3.0.9.
+Django 3.0.10 fixes two security issues and two data loss bugs in 3.0.9.

 CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
 ======================================================================================
@@ -17,6 +17,13 @@ files and to intermediate-level collected static directories when using the
 You should review and manually fix permissions on existing intermediate-level
 directories.

+CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
+===============================================================================================================
+
+On Python 3.7+, the intermediate-level directories of the file system cache had
+the system's standard umask rather than ``0o077`` (no group or others
+permissions).
+
 Bugfixes
 ========