[Python-modules-team] Bug#946011: python-django: CVE-2019-19118

Chris Lamb lamby at debian.org
Mon Dec 2 20:30:49 GMT 2019


Chris Lamb wrote:

> Package: python-django
> Version: 1.7.11-1+deb8u7
[…]
> CVE-2019-19118[0]:
> | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> | editing. A Django model admin displaying inline related models, where
> | the user has view-only permissions to a parent model but edit
> | permissions to the inline model, would be presented with an editing
> | UI, allowing POST requests, for updating the inline model. Directly
> | editing the view-only parent model was not possible, but the parent
> | model's save() method was called, triggering potential side effects,
> | and causing pre and post-save signal handlers to be invoked. (To
> | resolve this, the Django admin is adjusted to require edit permissions
> | on the parent model in order for inline models to be editable.)

Security team, would you like an upload for stable?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org 🍥 chris-lamb.co.uk
       `-



More information about the Python-modules-team mailing list