Django releases issued: 1.9.2 (security) and 1.8.9 (bugfix)

In accordance with our security release policy, the Django team is issuing Django 1.9.2. This release addresses a security issue detailed below. We encourage all users of Django to upgrade as soon as possible. The Django master branch is also updated.

Today we've also issued a bugfix release for the 1.8 release series. Details can be found in the release notes for 1.8.9.

CVE-2016-2048: User with "change" but not "add" permission can create objects for ModelAdmin ’s with save_as=True If a ModelAdmin uses save_as=True (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission. Thanks Myk Willis for reporting the issue.

Affected supported versions Django master development branch

Django 1.9 Django 1.8 is not affected. Per our supported versions policy, Django 1.7 and older are no longer receiving security updates but are also unaffected.

Resolution Patches have been applied to Django's master development branch and to the 1.9 release branch, which resolve the issue described above. The patches may be obtained directly from the following changesets: On the development master branch

On the 1.9 release branch The following new release has been issued: Django 1.9.2 (download Django 1.9.2 | 1.9.2 checksums) The PGP key ID used for these releases is Tim Graham: 1E8ABDC773EDE252.