py3-django: Multiple vulnerabilities (CVE-2020-24583, CVE-2020-24584)
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not
applied to intermediate-level directories created in the process of uploading
files and to intermediate-level collected static directories when using the
collectstatic management command.
Fixed In Version:
Django 3.0.10
References:
- https://docs.djangoproject.com/en/dev/releases/3.0.10/
- https://www.openwall.com/lists/oss-security/2020/09/01/2
Patch:
https://github.com/django/django/commit/08892bffd275c79ee1f8f67639eb170aaaf1181e
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system cache had
the system's standard umask rather than 0o077 (no group or others
permissions).
Fixed In Version:
Django 3.0.10
References:
- https://docs.djangoproject.com/en/dev/releases/3.0.10/
- https://www.openwall.com/lists/oss-security/2020/09/01/2
Patch:
https://github.com/django/django/commit/cdb367c92a0ba72ddc0cbd13ff42b0e6df709554