On Python 3.7+, ``FILE_UPLOAD_DIRECTORY_PERMISSIONS`` mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the ``collectstatic`` management command. Reference: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1874488] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1874486] Affects: fedora-all [bug 1874487] Affects: openstack-rdo [bug 1874489]
Upstream fix: https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9
This only affects Django running on Python 3.7+ due to some changes in how os.makedirs behaves. From the Python documentation, "Changed in version 3.7: The mode argument [of os.makedirs] no longer affects the file permission bits of newly-created intermediate-level directories.". For this reason, users of os.makedirs, like Django, should set the umask accordingly if they want the intermediate-level directories to have the proper permissions.
External References: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Statement: This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration. * Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X. * Red Hat Ceph Storage 2 and 3 uses Python 2.X * Red Hat Gluster Storage 3 uses Python 2.X
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24583