FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

django -- regression in permissions model

Affected packages
py27-django19 < 1.9.2
py33-django19 < 1.9.2
py34-django19 < 1.9.2
py35-django19 < 1.9.2
py27-django-devel <= 20150709,1
py33-django-devel <= 20150709,1
py34-django-devel <= 20150709,1
py35-django-devel <= 20150709,1

Details

VuXML ID 6b1d8a39-ddb3-11e5-8fa8-14dae9d210b8
Discovery 2016-02-01
Entry 2016-02-28

Tim Graham reports:

User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True

References

CVE Name CVE-2016-2048
URL https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/