[Python-modules-team] Bug#946011: python-django: CVE-2019-19118

[Salvatore Bonaccorso]

Hi Chris,

On Mon, Dec 02, 2019 at 09:30:49PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
> 
> > Package: python-django
> > Version: 1.7.11-1+deb8u7
> […]
> > CVE-2019-19118[0]:
> > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> > | editing. A Django model admin displaying inline related models, where
> > | the user has view-only permissions to a parent model but edit
> > | permissions to the inline model, would be presented with an editing
> > | UI, allowing POST requests, for updating the inline model. Directly
> > | editing the view-only parent model was not possible, but the parent
> > | model's save() method was called, triggering potential side effects,
> > | and causing pre and post-save signal handlers to be invoked. (To
> > | resolve this, the Django admin is adjusted to require edit permissions
> > | on the parent model in order for inline models to be editable.)
> 
> Security team, would you like an upload for stable?

As far I can see this issue has been introduced around 2.1 where the
surch support for view permissions and a read-only admin support was
added. Before that the issue does not seem to be present and as such
not affecting buster, nor stretch or older.

I have updated this bug with some metadata with that regard. Can you
confirm this assessment?

Regards,
Salvatore