In accordance with our security release policy, the Django team is issuing Django 1.9.2. This release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch is also updated.
Today we've also issued a bugfix release for the 1.8 release series. Details can be found in the release notes for 1.8.9.
CVE-2016-2048: User with "change" but not "add" permission can create objects for ModelAdmin’s with save_as=True
If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission.
Thanks Myk Willis for reporting the issue.
Affected supported versions
- Django master development branch
- Django 1.9
Django 1.8 is not affected. Per our supported versions policy, Django 1.7 and older are no longer receiving security updates but are also unaffected.
Resolution
Patches have been applied to Django's master development branch and to the 1.9 release branch, which resolve the issue described above. The patches may be obtained directly from the following changesets:
- On the development master branch
- On the 1.9 release branch
The following new release has been issued:
- Django 1.9.2 (download Django 1.9.2 | 1.9.2 checksums)
The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.