From 3f5e5f5165beb1cbc368b7693e6e02cf204862e6 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 7 May 2024 22:14:43 +0100 Subject: [PATCH] Fix CVE in docs --- Doc/whatsnew/3.8.rst | 4 ++-- .../Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst index e0eb5b4dc3f777..c1e57456345525 100644 --- a/Doc/whatsnew/3.8.rst +++ b/Doc/whatsnew/3.8.rst @@ -1049,7 +1049,7 @@ treat junctions as links. As of 3.8.20, :func:`os.mkdir` and :func:`os.makedirs` on Windows now support passing a *mode* value of ``0o700`` to apply access control to the new directory. This implicitly affects :func:`tempfile.mkdtemp` and is a -mitigation for :cve:`2024-4030`. Other values for *mode* continue to be +mitigation for CVE-2024-4030. Other values for *mode* continue to be ignored. (Contributed by Steve Dower in :gh:`118486`.) @@ -1264,7 +1264,7 @@ tempfile As of 3.8.20 on Windows, the default mode ``0o700`` used by :func:`tempfile.mkdtemp` now limits access to the new directory due to -changes to :func:`os.mkdir`. This is a mitigation for :cve:`2024-4030`. +changes to :func:`os.mkdir`. This is a mitigation for CVE-2024-4030. (Contributed by Steve Dower in :gh:`118486`.) diff --git a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst b/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst index 8ac48aac816a60..a28a4e5cdb6991 100644 --- a/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst +++ b/Misc/NEWS.d/next/Security/2024-05-01-20-57-09.gh-issue-118486.K44KJG.rst @@ -1,4 +1,4 @@ :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict -the new directory to the current user. This fixes :cve:`2024-4030` +the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default.