Hi Chris, On Mon, Dec 02, 2019 at 09:30:49PM +0100, Chris Lamb wrote: > Chris Lamb wrote: > > > Package: python-django > > Version: 1.7.11-1+deb8u7 > […] > > CVE-2019-19118[0]: > > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model > > | editing. A Django model admin displaying inline related models, where > > | the user has view-only permissions to a parent model but edit > > | permissions to the inline model, would be presented with an editing > > | UI, allowing POST requests, for updating the inline model. Directly > > | editing the view-only parent model was not possible, but the parent > > | model's save() method was called, triggering potential side effects, > > | and causing pre and post-save signal handlers to be invoked. (To > > | resolve this, the Django admin is adjusted to require edit permissions > > | on the parent model in order for inline models to be editable.) > > Security team, would you like an upload for stable?
As far I can see this issue has been introduced around 2.1 where the surch support for view permissions and a read-only admin support was added. Before that the issue does not seem to be present and as such not affecting buster, nor stretch or older. I have updated this bug with some metadata with that regard. Can you confirm this assessment? Regards, Salvatore
