On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than ``0o077`` (no group or others permissions). Reference: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1874495] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1874493] Affects: fedora-all [bug 1874494] Affects: openstack-rdo [bug 1874496]
Upstream fix: https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71
External References: https://www.djangoproject.com/weblog/2020/sep/01/security-releases
Statement: This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration. * Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X. * Red Hat Ceph Storage 2 and 3 uses Python 2.X * Red Hat Gluster Storage 3 uses Python 2.X
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24584