Chris Lamb wrote:
> Package: python-django
> Version: 1.7.11-1+deb8u7
[…]
> CVE-2019-19118[0]:
> | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> | editing. A Django model admin displaying inline related models, where
> | the user has view-only permissions to a parent model but edit
> | permissions to the inline model, would be presented with an editing
> | UI, allowing POST requests, for updating the inline model. Directly
> | editing the view-only parent model was not possible, but the parent
> | model's save() method was called, triggering potential side effects,
> | and causing pre and post-save signal handlers to be invoked. (To
> | resolve this, the Django admin is adjusted to require edit permissions
> | on the parent model in order for inline models to be editable.)
Security team, would you like an upload for stable?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org 🍥 chris-lamb.co.uk
`-
