Package: python-django Version: 1.7.11-1+deb8u7 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for python-django. CVE-2019-19118[0]: | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model | editing. A Django model admin displaying inline related models, where | the user has view-only permissions to a parent model but edit | permissions to the inline model, would be presented with an editing | UI, allowing POST requests, for updating the inline model. Directly | editing the view-only parent model was not possible, but the parent | model's save() method was called, triggering potential side effects, | and causing pre and post-save signal handlers to be invoked. (To | resolve this, the Django admin is adjusted to require edit permissions | on the parent model in order for inline models to be editable.) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-19118 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
