Weblog

November archive

Piston and Tastypie security releases issued

November 1, 2011

Piston and Tastypie, two popular REST API frameworks for Django, today issued security releases for a remote code execution vulnerability. Users of these frameworks should upgrade immediately.

Users of Piston should upgrade to version 0.2.3 or 0.2.2.1; Tastypie users should upgrade to version 0.9.10.

Details

It was discovered that both Piston and Tastypie share a similar vulnerability with respect to their de-serialization of YAML post data. Both Piston and Tastypie used the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code. The updated versions, released today, correctly use the yaml.safe_load method, which prevents remote code execution. Servers without the yaml module installed are not affected. Regardless, we recommend that all users of Piston or Tastypie upgrade immediately.

Why are we announcing this here?

It's important to point out that this issue does not affect all users of the Django framework. Piston and Tastypie are third-party modules and are not created by or distributed by the Django core team.

However, we're choosing to publicize this security release here because these modules are in common use on many Django sites. We're hoping that publicizing this fix widely will help protect all Django users.

General notes regarding security

As always, we ask that potential security issues in Django be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers mailing list.

Security issues in third-party modules should be reported to the relevant maintainer(s). When in doubt, we're happy to receive security reports about third-party modules to security@djangoproject.com; we can help direct you to the proper venue for the issue.